Suspicious PowerShell Mailbox Export to Share - PS
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Sigma rule (View on GitHub)
1title: Suspicious PowerShell Mailbox Export to Share - PS
2id: 4a241dea-235b-4a7e-8d76-50d817b146c4
3related:
4 - id: 889719ef-dd62-43df-86c3-768fb08dc7c0
5 type: derived
6status: test
7description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
8references:
9 - https://youtu.be/5mqid-7zp8k?t=2481
10 - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
11 - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
12 - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-10-26
15tags:
16 - attack.exfiltration
17logsource:
18 product: windows
19 category: ps_script
20 definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22 selection:
23 ScriptBlockText|contains|all:
24 - 'New-MailboxExportRequest'
25 - ' -Mailbox '
26 - ' -FilePath \\\\'
27 condition: selection
28fields:
29 - CommandLine
30 - ParentCommandLine
31falsepositives:
32 - Unknown
33level: critical
References
-
This will be a high-level summary of the different logs that can be found on an On-Premises Exchange server, which can be useful during an IR. For each log, I’ll try to explain what we can ac…
Read More
Related rules
- APT40 Dropbox Tool User Agent
- AWS EC2 VM Export Failure
- AWS RDS Master Password Change
- AWS S3 Data Management Tampering
- AWS Snapshot Backup Exfiltration