Powershell Exfiltration Over SMTP

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Sigma rule (View on GitHub)

 1title: Powershell Exfiltration Over SMTP
 2id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
 3status: test
 4description: |
 5    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
 6    The data may also be sent to an alternate network location from the main command and control server.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
 9    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4
10    - https://www.ietf.org/rfc/rfc2821.txt
11author: frack113
12date: 2022/09/26
13tags:
14    - attack.exfiltration
15    - attack.t1048.003
16logsource:
17    product: windows
18    category: ps_script
19    definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21    selection:
22        ScriptBlockText|contains: 'Send-MailMessage'
23    filter:
24        ScriptBlockText|contains: 'CmdletsToExport'
25    condition: selection and not filter
26falsepositives:
27    - Legitimate script
28level: medium

References

Related rules

to-top