Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious Outbound SMTP Connections

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Fri Jan 07Updated Wed Sep 219976fa64-2804-423c-8a5b-646ade840773windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic
Detection Logic4 selectors
detection:
    selection:
        DestinationPort:
            - 25
            - 587
            - 465
            - 2525
        Initiated: 'true'
    filter_clients:
        Image|endswith:
            - \thunderbird.exe
            - \outlook.exe
    filter_mailserver:
        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
    filter_outlook:
        Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_'
        Image|endswith: '\HxTsr.exe'
    condition: selection and not 1 of filter_*
False Positives

Other SMTP tools

References
1
Resolving title…
github.com
2
Resolving title…
ietf.org
MITRE ATT&CK
Rule Metadata
Rule ID
9976fa64-2804-423c-8a5b-646ade840773
Status
test
Level
medium
Type
Detection
Created
Fri Jan 07
Modified
Wed Sep 21
Author
François Hubaut
Path
rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml
Raw Tags
attack.exfiltrationattack.t1048.003
View on GitHub