|T1071.002||File Transfer Protocols|
Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
Agent Tesla has used SMTP for C2 communications.
APT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims.
Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.
Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.
ComRAT can use email attachments for command and control.
Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.
Kimsuky has used e-mail to send exfiltrated data to C2 servers.
LightNeuron uses SMTP for C2.
NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP.
SilverTerrier uses SMTP for C2 communications.
Turla has used multiple backdoors which communicate with a C2 server via email attachments.
|M1031||Network Intrusion Prevention||
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
|ID||Data Source||Data Component||Detects|
|DS0029||Network Traffic||Network Traffic Content||
Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
|Network Traffic Flow||
Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).