Merge pull request #962 from 0xC0FFEEEE/susmailrule

patel-bhavin · web-flow · commit 1878e5a4306d · 2025-02-18T17:27:58.000-08:00
0xC0FFEEEE - O365 Suspicious Mailbox Rule Created
diff --git a/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log b/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d379909545e2d03fd0334e1c498f15189b999dd0722d032028ec0fc34567f075
+size 1440
diff --git a/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml b/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml
@@ -0,0 +1,11 @@
+author: 0xC0FFEEEE
+id: 54715c41-4283-44f7-a327-fbd230d83c60
+date: '2025-02-14'
+description: 'Detection of suspicious mailbox rule creation.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log
+sourcetypes:
+- o365:management:activity
+references:
+- https://attack.mitre.org/techniques/T1564/008/

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:d379909545e2d03fd0334e1c498f15189b999dd0722d032028ec0fc34567f075`
	`3`	`+size 1440`