Suspicious Outbound SMTP Connections

Severity: medium
Author: frack113
Source: upstream

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

MITRE ATT&CK coverage

Tactic	Techniques
Exfiltration	`T1048.003` Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Event coverage

Provider	Event ID	Title
Sysmon	3	Network connection

Stages and Predicates

Stage 1: `selection`

DestinationPort: [25, 2525, 465, 587]
Initiated: true

Stage 2: `not 1 of filter_*`

or:
Image|endswith: '\HxTsr.exe'
Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_'
Image|endswith: '\outlook.exe'
Image|endswith: '\thunderbird.exe'
Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`DestinationPort`	eq	`25` corpus 2 (sigma 2) `2525` `465` corpus 3 (sigma 3) `587` corpus 4 (sigma 4)
`Image`	ends_with	`\HxTsr.exe` `\outlook.exe` corpus 16 (sigma 16) `\thunderbird.exe` corpus 2 (sigma 2)
`Image`	starts_with	`C:\Program Files\Microsoft\Exchange Server\` corpus 3 (sigma 3) `C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_`
`Initiated`	eq	`true` corpus 40 (sigma 40)