EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Suspicious Outbound SMTP Connections

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

MITRE ATT&CK

T1048.003
exfiltration

Detection Query

selection:
  DestinationPort:
    - 25
    - 587
    - 465
    - 2525
  Initiated: "true"
filter_clients:
  Image|endswith:
    - \thunderbird.exe
    - \outlook.exe
filter_mailserver:
  Image|startswith: C:\Program Files\Microsoft\Exchange Server\
filter_outlook:
  Image|startswith: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_
  Image|endswith: \HxTsr.exe
condition: selection and not 1 of filter_*

Author

frack113

Created

2022-01-07

Data Sources

windowsNetwork Connection Events

Platforms

windows

References

Tags

attack.exfiltrationattack.t1048.003
Raw Content
title: Suspicious Outbound SMTP Connections
id: 9976fa64-2804-423c-8a5b-646ade840773
status: test
description: |
    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
    The data may also be sent to an alternate network location from the main command and control server.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
    - https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022-01-07
modified: 2022-09-21
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort:
            - 25
            - 587
            - 465
            - 2525
        Initiated: 'true'
    filter_clients:
        Image|endswith:
            - \thunderbird.exe
            - \outlook.exe
    filter_mailserver:
        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
    filter_outlook:
        Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_'
        Image|endswith: '\HxTsr.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Other SMTP tools
level: medium