← Library
sigmaDRL-1.1from SigmaHQ/sigma

Suspicious Outbound SMTP Connections

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Quality
72
FP risk
Forks
0
Views
0
ATT&CK techniques
T1048.003
Rule sourcerules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml
title: Suspicious Outbound SMTP Connections
id: 9976fa64-2804-423c-8a5b-646ade840773
status: test
description: |
    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
    The data may also be sent to an alternate network location from the main command and control server.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
    - https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022-01-07
modified: 2022-09-21
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort:
            - 25
            - 587
            - 465
            - 2525
        Initiated: 'true'
    filter_clients:
        Image|endswith:
            - \thunderbird.exe
            - \outlook.exe
    filter_mailserver:
        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
    filter_outlook:
        Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_'
        Image|endswith: '\HxTsr.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Other SMTP tools
level: medium