The detection identifies potential AgentTesla malware leveraging an SMTP variant for command and control communication, indicating possible data exfiltration or remote command execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage adversary activity that may evade traditional detection methods.
YARA Rule
rule agenttesla_smtp_variant {
meta:
author = "J from THL <[email protected]> with thx to @Fumik0_ !!1!"
date = "2018/2"
reference1 = "https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection"
reference2 = "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a"
reference3 = "Agent Tesla == negasteal -- @coldshell"
version = 1
maltype = "Stealer"
filetype = "memory"
strings:
$a = "type={"
$b = "hwid={"
$c = "time={"
$d = "pcname={"
$e = "logdata={"
$f = "screen={"
$g = "ipadd={"
$h = "webcam_link={"
$i = "screen_link={"
$j = "site_username={"
$k = "[passwords]"
condition:
6 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 11 string patterns in its detection logic.
Scenario: A system administrator is using Postfix to send automated reports to internal stakeholders.
Filter/Exclusion: Exclude traffic where the destination IP is within the internal network (e.g., dest_ip not in 10.0.0.0/8) and the source is an admin workstation.
Scenario: A scheduled job runs via cron to fetch and send email reports using Sendmail.
Filter/Exclusion: Exclude processes initiated by the cron user and associated with known scheduled tasks (e.g., process.user = "cron" or process.name = "cron").
Scenario: A backup tool like Veeam or Commvault sends status emails via SMTP to notify administrators.
Filter/Exclusion: Exclude emails sent from known backup tools (e.g., process.name = "veeam" or process.name = "commvault") and filter by specific email domains used by the backup system.
Scenario: An IT helpdesk tool like ServiceNow or Jira sends automated emails via SMTP to notify users of ticket updates.
Filter/Exclusion: Exclude emails originating from the helpdesk application’s service account (e.g., process.user = "service_now" or process.name = "jira") and filter by known helpdesk email domains.
Scenario: A devops pipeline using Jenkins or GitLab CI sends status emails via SMTP to notify team members.
Filter/Exclusion: Exclude emails from the devops service account (e.g., process.user = "jenkins" or process.name = "gitlab-ci") and filter by known devops email domains.