title: Exchange PowerShell Snap-Ins Usage
id: 25676e10-2121-446e-80a4-71ff8506af47
status: test
description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
references:
    - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
    - https://www.intrinsec.com/apt27-analysis/
author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
date: 2021-03-03
modified: 2023-03-24
tags:
    - attack.execution
    - attack.t1059.001
    - attack.collection
    - attack.t1114
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains: 'Add-PSSnapin'
    selection_module:
        CommandLine|contains:
            - 'Microsoft.Exchange.Powershell.Snapin'
            - 'Microsoft.Exchange.Management.PowerShell.SnapIn'
    filter_msiexec:
        # ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding C9138ECE2536CB4821EB5F55D300D88E E Global\MSI0000
        ParentImage: 'C:\Windows\System32\msiexec.exe'
        CommandLine|contains: '$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: high

title: Hacktool Ruler
id: 24549159-ac1b-479c-8175-d42aea947cae
status: test
description: This events that are generated when using the hacktool Ruler by Sensepost
references:
    - https://github.com/sensepost/ruler
    - https://github.com/sensepost/ruler/issues/47
    - https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624
author: Florian Roth (Nextron Systems)
date: 2017-05-31
modified: 2022-10-09
tags:
    - attack.discovery
    - attack.execution
    - attack.collection
    - attack.lateral-movement
    - attack.t1087
    - attack.t1114
    - attack.t1059
    - attack.t1550.002
logsource:
    product: windows
    service: security
detection:
    selection1:
        EventID: 4776
        Workstation: 'RULER'
    selection2:
        EventID:
            - 4624
            - 4625
        WorkstationName: 'RULER'
    condition: (1 of selection*)
falsepositives:
    - Go utilities that use staaldraad awesome NTLM library
level: high

title: Suspicious Inbox Forwarding Identity Protection
id: 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d
status: test
description: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.t1114.003
    - attack.collection
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'suspiciousInboxForwarding'
    condition: selection
falsepositives:
    - A legitimate forwarding rule.
level: high

title: Google Workspace Out Of Domain Email Forwarding
id: 2a0bb2dd-eb5f-4517-8cb9-404f8ba764a5
status: experimental
description: Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.
references:
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#email_forwarding_out_of_domain
author: Tom kluter
date: 2026-04-28
tags:
    - attack.t1114.003
    - attack.collection
logsource:
    product: gcp
    service: google_workspace.login
detection:
    selection:
        protoPayload.serviceName: 'login.googleapis.com'
        protoPayload.metadata.event.eventName: 'email_forwarding_out_of_domain'
    condition: selection
falsepositives:
    - Legitimate forwarding
level: medium

title: PST Export Alert Using New-ComplianceSearchAction
id: 6897cd82-6664-11ed-9022-0242ac120002
related:
    - id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
      type: similar
status: test
description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
references:
    - https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps
author: Nikita Khalimonenkov
date: 2022-11-17
tags:
    - attack.collection
    - attack.t1114
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        Payload|contains|all:
            - 'New-ComplianceSearchAction'
            - 'Export'
            - 'pst'
    condition: selection
falsepositives:
    - Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored.
level: medium

title: PST Export Alert Using eDiscovery Alert
id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
related:
    - id: 6897cd82-6664-11ed-9022-0242ac120002
      type: similar
status: test
description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
references:
    - https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide
author: Sorina Ionescu
date: 2022-02-08
modified: 2022-11-17
tags:
    - attack.collection
    - attack.t1114
logsource:
    service: threat_management
    product: m365
    definition: Requires the 'eDiscovery search or exported' alert to be enabled
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'eDiscovery search started or exported'
        status: success
    condition: selection
falsepositives:
    - PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
level: medium

title: Powershell Local Email Collection
id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
status: test
description: |
    Adversaries may target user email on local systems to collect sensitive information.
    Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md
author: frack113
date: 2021-07-21
modified: 2022-12-25
tags:
    - attack.collection
    - attack.t1114.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Get-Inbox.ps1'
            - 'Microsoft.Office.Interop.Outlook'
            - 'Microsoft.Office.Interop.Outlook.olDefaultFolders'
            - '-comobject outlook.application'
    condition: selection
falsepositives:
    - Unknown
level: medium