Suspicious Outbound SMTP Connections

calendar Aug 12, 2024 · attack.exfiltration attack.t1048.003  ·
Share on: linkedin copy

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Sigma rule (View on GitHub)

 1title: Suspicious Outbound SMTP Connections
 2id: 9976fa64-2804-423c-8a5b-646ade840773
 3status: test
 4description: |
 5    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
 6    The data may also be sent to an alternate network location from the main command and control server.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
 9    - https://www.ietf.org/rfc/rfc2821.txt
10author: frack113
11date: 2022-01-07
12modified: 2022-09-21
13tags:
14    - attack.exfiltration
15    - attack.t1048.003
16logsource:
17    category: network_connection
18    product: windows
19detection:
20    selection:
21        DestinationPort:
22            - 25
23            - 587
24            - 465
25            - 2525
26        Initiated: 'true'
27    filter_clients:
28        Image|endswith:
29            - \thunderbird.exe
30            - \outlook.exe
31    filter_mailserver:
32        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
33    filter_outlook:
34        Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_'
35        Image|endswith: '\HxTsr.exe'
36    condition: selection and not 1 of filter_*
37falsepositives:
38    - Other SMTP tools
39level: medium

References

Related rules

to-top