Threat Huntmediumtest

Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet

Detects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Mon Sep 26Updated Fri Nov 019a7afa56-4762-43eb-807d-c3dc9ffe211bwindows

Hunting Hypothesis

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains: 'Send-MailMessage*-Attachments'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0010 · Exfiltration

Sub-techniques

T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol

Other

detection.threat-hunting

Rule Metadata

Rule ID

9a7afa56-4762-43eb-807d-c3dc9ffe211b

Status

test

Level

medium

Type

Threat Hunt

Created

Mon Sep 26

Modified

Fri Nov 01

Author

François Hubaut

Path

rules-threat-hunting/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml

Raw Tags

attack.exfiltrationattack.t1048.003detection.threat-hunting

View on GitHub