kqlElastic-2.0from elastic/detection-rules

PowerShell Mailbox Collection Script

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1114 T1114.001 T1114.002 T1059 T1059.001

Rule sourcerules/windows/collection_posh_mailbox.toml

event.category:process and host.os.type:windows and
  (
    (
      powershell.file.script_block_text : (
        "Microsoft.Office.Interop.Outlook" or
        "Interop.Outlook.olDefaultFolders" or
        "olFolderInBox" or
        "Outlook.Application"
      ) and powershell.file.script_block_text : ("MAPI" or "GetDefaultFolder" or "GetNamespace" or "Session" or "GetSharedDefaultFolder")
    ) or
    (
      powershell.file.script_block_text : (
        "Microsoft.Exchange.WebServices.Data.Folder" or
        "Microsoft.Exchange.WebServices.Data.FileAttachment" or
        "Microsoft.Exchange.WebServices.Data.ExchangeService"
      ) and
      powershell.file.script_block_text : ("FindItems" or "Bind" or "WellKnownFolderName" or "FolderId" or "ItemView" or "PropertySet" or "SearchFilter" or "Attachments")
    )
  )