CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Feature/rm submodule (#312)

Browse Source 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
This commit is contained in:
itiB
2021-12-20 21:14:32 +09:00
committed by GitHub
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
rules/sigma/process_creation/process_mailboxexport_share.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Suspicious PowerShell Mailbox Export to Share
ruletype: Sigma
author: Florian Roth
date: 2021/08/07
description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox
to a local share, as used in ProxyShell exploitations
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
CommandLine: '*New-MailboxExport*'
SELECTION_3:
CommandLine: '* -Mailbox *'
SELECTION_4:
CommandLine: '* -FilePath \\127.0.0.1\C$*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- unknown
fields:
- CommandLine
- ParentCommandLine
id: 889719ef-dd62-43df-86c3-768fb08dc7c0
level: critical
logsource:
category: process_creation
product: windows
references:
- https://youtu.be/5mqid-7zp8k?t=2481
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
status: experimental
tags:
- attack.persistence
- attack.t1505.003
- attack.resource_development
- attack.t1584.006