Sigma rules for CVE-2008-0394
1 rules · scoped to cve · back to CVE-2008-0394
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Outbound SMTP Connections
id: 9976fa64-2804-423c-8a5b-646ade840773
status: test
description: |
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
The data may also be sent to an alternate network location from the main command and control server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
- https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022-01-07
modified: 2022-09-21
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort:
- 25
- 587
- 465
- 2525
Initiated: 'true'
filter_clients:
Image|endswith:
- \thunderbird.exe
- \outlook.exe
filter_mailserver:
Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
filter_outlook:
Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_'
Image|endswith: '\HxTsr.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Other SMTP tools
level: medium