Detectioncriticaltest

Suspicious PowerShell Mailbox Export to Share - PS

Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Wed Oct 264a241dea-235b-4a7e-8d76-50d817b146c4windows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-MailboxExportRequest'
            - ' -Mailbox '
            - ' -FilePath \\\\'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0010 · Exfiltration

Related Rules

DerivedDetectioncritical

Suspicious PowerShell Mailbox Export to Share

Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

4a241dea-235b-4a7e-8d76-50d817b146c4

Status

test

Level

critical

Type

Detection

Created

Wed Oct 26

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml

Raw Tags

attack.exfiltration

View on GitHub