SMTP on Port 26/TCP
This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["network_traffic", "panw"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular
11mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family
12called BadPatch for command and control of Windows systems.
13"""
14false_positives = [
15 """
16 Servers that process email traffic may cause false positives and should be excluded from this rule as this is
17 expected behavior.
18 """,
19]
20from = "now-9m"
21index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "SMTP on Port 26/TCP"
25references = [
26 "https://unit42.paloaltonetworks.com/unit42-badpatch/",
27 "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/",
28]
29risk_score = 21
30rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
31severity = "low"
32tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37(event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26
38'''
39note = """## Triage and analysis
40
41> **Disclaimer**:
42> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
43
44### Investigating SMTP on Port 26/TCP
45
46SMTP, typically operating on port 25, is crucial for email transmission. However, port 26 is often used to avoid conflicts or restrictions on port 25. Adversaries exploit this by using port 26 for covert command and control, as seen with the BadPatch malware. The detection rule identifies suspicious SMTP activity on port 26 by analyzing network traffic patterns, helping to uncover potential threats.
47
48### Possible investigation steps
49
50- Review the network traffic logs to identify any unusual patterns or anomalies associated with TCP port 26, focusing on the event.dataset fields such as network_traffic.flow or zeek.smtp.
51- Analyze the source and destination IP addresses involved in the alert to determine if they are known or associated with any previous suspicious activities.
52- Check for any additional alerts or logs related to the same source or destination IP addresses to identify potential patterns or repeated attempts of communication on port 26.
53- Investigate the context of the communication by examining the payload data, if available, to identify any indicators of compromise or malicious content.
54- Correlate the findings with threat intelligence sources to determine if the IP addresses or domains are associated with known threat actors or malware, such as BadPatch.
55- Assess the risk and impact on the affected systems by determining if any sensitive data or critical systems are involved in the communication on port 26.
56
57### False positive analysis
58
59- Legitimate mail transfer agents may use port 26 to avoid conflicts with port 25. Identify these agents and create exceptions in the detection rule to prevent unnecessary alerts.
60- Some network configurations might reroute SMTP traffic to port 26 for load balancing or security reasons. Verify these configurations and whitelist known IP addresses or domains to reduce false positives.
61- Internal testing or development environments might use port 26 for non-malicious purposes. Document these environments and exclude their traffic from triggering alerts.
62- Certain email service providers may use port 26 as an alternative to port 25. Confirm these providers and adjust the rule to recognize their traffic as benign.
63
64### Response and remediation
65
66- Immediately isolate the affected system from the network to prevent further command and control communication via port 26.
67- Conduct a thorough scan of the isolated system using updated antivirus and anti-malware tools to identify and remove the BadPatch malware or any other malicious software.
68- Review and analyze network logs to identify any other systems that may have communicated with the same command and control server, and isolate those systems as well.
69- Change all passwords and credentials that may have been compromised or accessed by the affected system to prevent unauthorized access.
70- Apply security patches and updates to the affected system and any other vulnerable systems to mitigate exploitation by similar threats.
71- Monitor network traffic for any further suspicious activity on port 26 and other non-standard ports, adjusting firewall rules to block unauthorized SMTP traffic.
72- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to ensure comprehensive threat eradication."""
73
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77
78[rule.threat.tactic]
79id = "TA0011"
80name = "Command and Control"
81reference = "https://attack.mitre.org/tactics/TA0011/"
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1048"
86name = "Exfiltration Over Alternative Protocol"
87reference = "https://attack.mitre.org/techniques/T1048/"
88
89
90[rule.threat.tactic]
91id = "TA0010"
92name = "Exfiltration"
93reference = "https://attack.mitre.org/tactics/TA0010/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating SMTP on Port 26/TCP
SMTP, typically operating on port 25, is crucial for email transmission. However, port 26 is often used to avoid conflicts or restrictions on port 25. Adversaries exploit this by using port 26 for covert command and control, as seen with the BadPatch malware. The detection rule identifies suspicious SMTP activity on port 26 by analyzing network traffic patterns, helping to uncover potential threats.
Possible investigation steps
- Review the network traffic logs to identify any unusual patterns or anomalies associated with TCP port 26, focusing on the event.dataset fields such as network_traffic.flow or zeek.smtp.
- Analyze the source and destination IP addresses involved in the alert to determine if they are known or associated with any previous suspicious activities.
- Check for any additional alerts or logs related to the same source or destination IP addresses to identify potential patterns or repeated attempts of communication on port 26.
- Investigate the context of the communication by examining the payload data, if available, to identify any indicators of compromise or malicious content.
- Correlate the findings with threat intelligence sources to determine if the IP addresses or domains are associated with known threat actors or malware, such as BadPatch.
- Assess the risk and impact on the affected systems by determining if any sensitive data or critical systems are involved in the communication on port 26.
False positive analysis
- Legitimate mail transfer agents may use port 26 to avoid conflicts with port 25. Identify these agents and create exceptions in the detection rule to prevent unnecessary alerts.
- Some network configurations might reroute SMTP traffic to port 26 for load balancing or security reasons. Verify these configurations and whitelist known IP addresses or domains to reduce false positives.
- Internal testing or development environments might use port 26 for non-malicious purposes. Document these environments and exclude their traffic from triggering alerts.
- Certain email service providers may use port 26 as an alternative to port 25. Confirm these providers and adjust the rule to recognize their traffic as benign.
Response and remediation
- Immediately isolate the affected system from the network to prevent further command and control communication via port 26.
- Conduct a thorough scan of the isolated system using updated antivirus and anti-malware tools to identify and remove the BadPatch malware or any other malicious software.
- Review and analyze network logs to identify any other systems that may have communicated with the same command and control server, and isolate those systems as well.
- Change all passwords and credentials that may have been compromised or accessed by the affected system to prevent unauthorized access.
- Apply security patches and updates to the affected system and any other vulnerable systems to mitigate exploitation by similar threats.
- Monitor network traffic for any further suspicious activity on port 26 and other non-standard ports, adjusting firewall rules to block unauthorized SMTP traffic.
- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to ensure comprehensive threat eradication.
References
Related rules
- Accepted Default Telnet Port Connection
- IPSEC NAT Traversal Port Activity
- Possible FIN7 DGA Command and Control Behavior
- RDP (Remote Desktop Protocol) from the Internet
- Roshal Archive (RAR) or PowerShell File Downloaded from the Internet