Detects malicious email forwarding rules created by attackers for persistent email access in intelligence collection and BEC attacks. Useful for threat hunting, incident response, and security assessments in EDR/SIEM environments.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动狩猎环境中邮件转发规则攻击的相关指标时
Detects malicious email forwarding rules (T1114.003) for persistence and BEC attacks using EDR, SIEM queries, Sysmon in threat hunting and incident response.
Detects malicious email forwarding rules adversaries use for persistent email access in intelligence collection and BEC attacks. Useful for threat hunting in EDR and SIEM.
Detects compromised O365 and Google Workspace email accounts by analyzing inbox rules, suspicious logins, forwarding rules, and abnormal API access patterns. Useful for cybersecurity incident response.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1114.003 | 邮件转发规则(Email Forwarding Rule) |
| T1114.002 | 远程邮件收集(Remote Email Collection) |
| T1098.002 | 额外邮件委托权限(Additional Email Delegate Permissions) |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 使用 KQL 进行高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询进行 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1114.003
Host: [主机名]
User: [账户上下文]
Evidence: [日志条目、进程树、网络数据]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [遏制、调查、监控]