Detectionmediumtest
Powershell Local Email Collection
Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script
Definition
Requirements: Script Block Logging must be enabled
Detection Logic
Detection Logic1 selector
detection:
selection:
ScriptBlockText|contains:
- 'Get-Inbox.ps1'
- 'Microsoft.Office.Interop.Outlook'
- 'Microsoft.Office.Interop.Outlook.olDefaultFolders'
- '-comobject outlook.application'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
2837e152-93c8-43d2-85ba-c3cd3c2ae614
Status
test
Level
medium
Type
Detection
Created
Wed Jul 21
Modified
Sun Dec 25
Author
Path
rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml
Raw Tags
attack.collectionattack.t1114.001