Powershell Exfiltration Over SMTP

calendar Oct 17, 2023 · attack.exfiltration attack.t1048.003  ·
Share on: linkedin copy

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Sigma rule (View on GitHub)

 1title: Powershell Exfiltration Over SMTP
 2id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
 3status: test
 4description: |
 5    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
 6    The data may also be sent to an alternate network location from the main command and control server.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
 9    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2
10    - https://www.ietf.org/rfc/rfc2821.txt
11author: frack113
12date: 2022/09/26
13tags:
14    - attack.exfiltration
15    - attack.t1048.003
16logsource:
17    product: windows
18    category: ps_script
19    definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21    selection:
22        ScriptBlockText|contains: 'Send-MailMessage'
23    filter:
24        ScriptBlockText|contains: 'CmdletsToExport'
25    condition: selection and not filter
26falsepositives:
27    - Legitimate script
28level: medium

References

  • atomic-red-team/atomics/T1048.003/T1048.003.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

    Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team


    Read More

  • Send-MailMessage (Microsoft.PowerShell.Utility) - PowerShell

    The Send-MailMessage cmdlet sends an email message from within PowerShell. You must specify a Simple Mail Transfer Protocol (SMTP) server or the Send-MailMessage command fails. Use the SmtpServer parameter or set the $PSEmailServer variable to a valid SMTP server. The value assigned to $PSEmailServer is the default SMTP setting for PowerShell. For more information, see about_Preference_Variables. Warning The Send-MailMessage cmdlet is obsolete. This cmdlet doesn't guarantee secure connections to SMTP servers. While there is no immediate replacement available in PowerShell, we recommend you do not use Send-MailMessage. For more information, see Platform Compatibility note DE0005.


    Read More

  • Network Working Group J. Klensin, Editor Request for Comments: 2821 AT&T Laboratories Obsoletes: 821, 974, 1869 April 2001 Updates: 1123 Category: Standards Track Simple Mail Transfer Protocol Stat...


    Read More

Related rules

to-top