Email Exifiltration Via Powershell

 1title: Email Exifiltration Via Powershell
 2id: 312d0384-401c-4b8b-abdf-685ffba9a332
 3status: test
 4description: Detects email exfiltration via powershell cmdlets
 5references:
 6    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
 7    - https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml
 8author: Nasreddine Bencherchali (Nextron Systems),  Azure-Sentinel (idea)
 9date: 2022/09/09
10tags:
11    - attack.exfiltration
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        Image|endswith:
18            - '\powershell.exe'
19            - '\pwsh.exe'
20        CommandLine|contains|all:
21            - 'Add-PSSnapin'
22            - 'Get-Recipient'
23            - '-ExpandProperty'
24            - 'EmailAddresses'
25            - 'SmtpAddress'
26            - '-hidetableheaders'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

• https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/

  
  Read More

• Azure-Sentinel/Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/Email data exfiltration via PowerShell.yaml at 7e6aa438e254d468feec061618a7877aa528ee9f · Azure/Azure-Sentinel

  

  Cloud-native SIEM for intelligent security analytics for your entire enterprise. - Azure/Azure-Sentinel

  
  Read More

Related rules

• AWS EC2 VM Export Failure
• AWS RDS Master Password Change
• Communication To Ngrok Tunneling Service - Linux
• LOLBAS Data Exfiltration by DataSvcUtil.exe
• Powershell Exfiltration Over SMTP