← Library
kqlElastic-2.0from elastic/detection-rules

Exchange Mailbox Export via PowerShell

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1005T1074T1074.001T1114T1114.001T1114.002
Rule sourcerules/windows/collection_mailbox_export_winlog.toml
event.category:process and host.os.type:windows and
powershell.file.script_block_text : "New-MailboxExportRequest" and
(
  powershell.file.script_block_text : ("-FilePath" or ".pst") and
  powershell.file.script_block_text : ("-Mailbox" or "Get-Mailbox" or "ExportToPSTFile" or "-Identity")
)