Exchange PowerShell Snap-Ins UsageMar 24, 2023 · attack.execution attack.t1059.001 attack.collection attack.t1114 ·
Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
Hacktool RulerFeb 1, 2023 · attack.discovery attack.execution attack.t1087 attack.t1114 attack.t1059 attack.t1550.002 ·
This events that are generated when using the hacktool Ruler by Sensepost
PST Export Alert Using eDiscovery AlertNov 18, 2022 · attack.collection attack.t1114 ·
Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
PST Export Alert Using New-ComplianceSearchActionNov 18, 2022 · attack.collection attack.t1114 ·
Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.