Techniques
Sample rules
New ActiveSyncAllowedDeviceID Added via PowerShell
- source: elastic
- technicques:
- T1059
- T1098
Description
Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.
Detection logic
process where host.os.type == "windows" and event.type == "start" and
process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*"
Exchange Mailbox Export via PowerShell
- source: elastic
- technicques:
- T1005
- T1114
Description
Detects PowerShell script block content that creates Exchange mailbox export requests via New-MailboxExportRequest, commonly writing PST files. Adversaries can abuse export requests to collect and stage email content for exfiltration.
Detection logic
event.category:process and host.os.type:windows and
powershell.file.script_block_text : "New-MailboxExportRequest" and
(
powershell.file.script_block_text : ("-FilePath" or ".pst") and
powershell.file.script_block_text : ("-Mailbox" or "Get-Mailbox" or "ExportToPSTFile" or "-Identity")
)
Exporting Exchange Mailbox via PowerShell
- source: elastic
- technicques:
- T1005
- T1059
- T1114
Description
Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.
Detection logic
process where host.os.type == "windows" and event.type == "start" and
process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and
process.command_line : ("*MailboxExportRequest*", "*-Mailbox*-ContentFilter*")