other smtp tools

t1048
t1048.003
windows
sigma

Techniques

t1048
t1048.003

Sample rules

Suspicious Outbound SMTP Connections

source: sigma
technicques:
- t1048
- t1048.003

Description

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Detection logic

condition: selection and not 1 of filter_*
filter_clients:
  Image|endswith:
  - \thunderbird.exe
  - \outlook.exe
filter_mailserver:
  Image|startswith: C:\Program Files\Microsoft\Exchange Server\
filter_outlook:
  Image|endswith: \HxTsr.exe
  Image|startswith: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_
selection:
  DestinationPort:
  - 25
  - 587
  - 465
  - 2525
  Initiated: 'true'