Techniques
Sample rules
Windows File Transfer Protocol In Non-Common Process Path
- source: splunk
- technicques:
- T1071.003
- T1071
Description
The following analytic identifies a possible windows application having a FTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host.
Detection logic
`sysmon` EventCode=3 NOT(Image IN("*\\program files*", "*\\windows\\system32\\*","*\\windows\\SysWOW64\\*")) (DestinationPortName="ftp" OR DestinationPort=21)
| stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname DestinationIp SourcePort SourcePortName Protocol SourceHostname dest user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_file_transfer_protocol_in_non_common_process_path_filter`
Windows Mail Protocol In Non-Common Process Path
- source: splunk
- technicques:
- T1071.003
- T1071
Description
The following analytic identifies a possible windows application having a SMTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host.
Detection logic
`sysmon` EventCode=3 NOT(Image IN("*\\program files*", "*\\thunderbird.exe","*\\outlook.exe")) (DestinationPortName="smtp" OR DestinationPort=25 OR DestinationPort=587)
| stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname SourceHostname SourcePort SourcePortName Protocol DestinationIp dest user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_mail_protocol_in_non_common_process_path_filter`