Suspicious Outbound SMTP Connections
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Sigma rule (View on GitHub)
1title: Suspicious Outbound SMTP Connections
2id: 9976fa64-2804-423c-8a5b-646ade840773
3status: test
4description: |
5 Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
6 The data may also be sent to an alternate network location from the main command and control server.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
9 - https://www.ietf.org/rfc/rfc2821.txt
10author: frack113
11date: 2022/01/07
12modified: 2022/09/21
13tags:
14 - attack.exfiltration
15 - attack.t1048.003
16logsource:
17 category: network_connection
18 product: windows
19detection:
20 selection:
21 DestinationPort:
22 - 25
23 - 587
24 - 465
25 - 2525
26 Initiated: 'true'
27 filter_clients:
28 Image|endswith:
29 - \thunderbird.exe
30 - \outlook.exe
31 filter_mailserver:
32 Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
33 filter_outlook:
34 Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_'
35 Image|endswith: '\HxTsr.exe'
36 condition: selection and not 1 of filter_*
37falsepositives:
38 - Other SMTP tools
39level: medium
References
Related rules
- Powershell Exfiltration Over SMTP
- WebDav Client Execution Via Rundll32.EXE
- High DNS Bytes Out
- High DNS Bytes Out - Firewall
- High DNS Requests Rate