Update rule Powershell Exfiltration Over SMTP considering the attachm…

…ent flag
SigmaHQ · Oct 15, 2024 · 033d531 · 033d531
1 parent f33530e
commit 033d531
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
@@ -9,7 +9,7 @@ references:
     - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4
     - https://www.ietf.org/rfc/rfc2821.txt
 author: frack113
-date: 2022-09-26
+date: 2024-10-15
 tags:
     - attack.exfiltration
     - attack.t1048.003
@@ -19,7 +19,9 @@ logsource:
     definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
-        ScriptBlockText|contains: 'Send-MailMessage'
+        ScriptBlockText|contains|all:
+        - 'Send-MailMessage'
+        - '-Attachments'
     filter:
         ScriptBlockText|contains: 'CmdletsToExport'
     condition: selection and not filter