LoFP / third party application may use this network protocol as part of its feature. filter is needed.

Techniques

• T1071
• T1071.003

Sample rules

Windows File Transfer Protocol In Non-Common Process Path

• source: splunk
• technicques:
  • T1071.003
  • T1071

Description

The following analytic identifies a possible windows application having a FTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host.

Detection logic

`sysmon` EventCode=3 NOT(Image IN("*\\program files*", "*\\windows\\system32\\*","*\\windows\\SysWOW64\\*")) (DestinationPortName="ftp" OR DestinationPort=21) 
| stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname DestinationIp SourcePort SourcePortName Protocol SourceHostname dest user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_file_transfer_protocol_in_non_common_process_path_filter`

Windows Mail Protocol In Non-Common Process Path

• source: splunk
• technicques:
  • T1071.003
  • T1071

Description

The following analytic identifies a possible windows application having a SMTP connection in a non common installation path in windows operating system.This network protocol is being used by adversaries, threat actors and malware like AgentTesla as a Command And Control communication to transfer its collected stolen information like the desktop screenshots, browser information and system information of a targeted or compromised host.

Detection logic

`sysmon` EventCode=3 NOT(Image IN("*\\program files*", "*\\thunderbird.exe","*\\outlook.exe")) (DestinationPortName="smtp" OR DestinationPort=25 OR DestinationPort=587) 
| stats count min(_time) as firstTime max(_time) as lastTime by Image DestinationPort DestinationPortName DestinationHostname SourceHostname SourcePort SourcePortName Protocol DestinationIp dest user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_mail_protocol_in_non_common_process_path_filter`