Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary
mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.
Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use
this technique to capture user input, looking for credentials and/or other valuable data.
Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share
enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for
critical information for encryption and/or exfiltration.
This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these
functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain
trusts, groups, etc.
Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect
sensitive information or send email on their behalf via API.
Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon
VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be
abused to exfiltrate sensitive data from unencrypted internal traffic.
Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.
Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with
specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named
RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's
recommended that you treat this rule like an administrative root account and don't use it in your application.
Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship
(Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A
subscription is a named resource representing the stream of messages to be delivered to the subscribing application.
Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship
(Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is
used to forward messages from publishers to subscribers.
Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files
is based on inherited permissions from the child organizational unit the user belongs to which is scoped by
administrators. Typically if a user is removed, their files can be transferred to another user by the administrator.
This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.
Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route
for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to
capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default,
all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and
Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based
on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can
abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or
having the corresponding privileges.