SMTP on Port 26/TCP
This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["network_traffic", "panw"]
4maturity = "production"
5updated_date = "2024/09/18"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular
11mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family
12called BadPatch for command and control of Windows systems.
13"""
14false_positives = [
15 """
16 Servers that process email traffic may cause false positives and should be excluded from this rule as this is
17 expected behavior.
18 """,
19]
20from = "now-9m"
21index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "SMTP on Port 26/TCP"
25references = [
26 "https://unit42.paloaltonetworks.com/unit42-badpatch/",
27 "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/",
28]
29risk_score = 21
30rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
31severity = "low"
32tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37(event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43
44[rule.threat.tactic]
45id = "TA0011"
46name = "Command and Control"
47reference = "https://attack.mitre.org/tactics/TA0011/"
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1048"
52name = "Exfiltration Over Alternative Protocol"
53reference = "https://attack.mitre.org/techniques/T1048/"
54
55
56[rule.threat.tactic]
57id = "TA0010"
58name = "Exfiltration"
59reference = "https://attack.mitre.org/tactics/TA0010/"
References
Related rules
- Accepted Default Telnet Port Connection
- IPSEC NAT Traversal Port Activity
- Possible FIN7 DGA Command and Control Behavior
- RDP (Remote Desktop Protocol) from the Internet
- Roshal Archive (RAR) or PowerShell File Downloaded from the Internet