LoFP / third party email or smtp based applications will trigger this. apply additional filters as needed. also consider excluding known email or any smtp based clients installed outside of the program files and windows directories.

Techniques

• T1071.003

Sample rules

Windows Mail Protocol In Non-Common Process Path

• source: splunk
• technicques:
  • T1071.003

Description

The following analytic detects a Windows application establishing an SMTP connection from a non-common installation path. It leverages Sysmon EventCode 3 to identify processes not typically associated with email clients (e.g., Thunderbird, Outlook) making SMTP connections. This activity is significant as adversaries, including malware like AgentTesla, use such connections for Command and Control (C2) communication to exfiltrate stolen data. If confirmed malicious, this behavior could lead to unauthorized data exfiltration, including sensitive information like desktop screenshots, browser data, and system details, compromising the affected host.

Detection logic

`sysmon`
EventCode=3
NOT Image IN(
  "C:\\Program Files \(x86\)\\*",
  "C:\\Program Files\\*",
  "C:\\Windows\\System32\\*",
  "C:\\Windows\\SysWOW64\\*"
)
(
  DestinationPortName="smtp"
  OR
  DestinationPort IN (25, 587)
)

| stats count min(_time) as firstTime 
              max(_time) as lastTime
by action app dest dest_ip dest_port direction dvc protocol protocol_version
   src src_ip src_port transport user vendor_product process_name
   process_exec process_guid process_id

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_mail_protocol_in_non_common_process_path_filter`