PowerShell Mailbox Collection Script

Elastic Stack Serverless Security

Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.

Rule type: query

Rule indices:

winlogbeat-*
logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Host
Windows
Threat Detection
Collection
PowerShell

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

		event.category:process and
  (
   powershell.file.script_block_text : (
      "Microsoft.Office.Interop.Outlook" or
      "Interop.Outlook.olDefaultFolders" or
      "::olFolderInBox"
   ) or
   powershell.file.script_block_text : (
      "Microsoft.Exchange.WebServices.Data.Folder" or
      "Microsoft.Exchange.WebServices.Data.FileAttachment"
   )
   )

	

Framework: MITRE ATT&CKTM

Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
Technique:
- Name: Email Collection
- ID: T1114
- Reference URL: https://attack.mitre.org/techniques/T1114/
Sub-technique:
- Name: Local Email Collection
- ID: T1114.001
- Reference URL: https://attack.mitre.org/techniques/T1114/001/
Sub-technique:
- Name: Remote Email Collection
- ID: T1114.002
- Reference URL: https://attack.mitre.org/techniques/T1114/002/
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
Sub-technique:
- Name: PowerShell
- ID: T1059.001
- Reference URL: https://attack.mitre.org/techniques/T1059/001/