SMTP on Port 26/TCP

calendar Mar 19, 2024 · Tactic: Command and Control Domain: Endpoint Use Case: Threat Detection  ·
Share on: linkedin copy

This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3integration = ["network_traffic"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/18"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular
13mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family
14called BadPatch for command and control of Windows systems.
15"""
16false_positives = [
17    """
18    Servers that process email traffic may cause false positives and should be excluded from this rule as this is
19    expected behavior.
20    """,
21]
22from = "now-9m"
23index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "SMTP on Port 26/TCP"
27references = [
28    "https://unit42.paloaltonetworks.com/unit42-badpatch/",
29    "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/",
30]
31risk_score = 21
32rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
33severity = "low"
34tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
35timestamp_override = "event.ingested"
36type = "query"
37
38query = '''
39(event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45
46[rule.threat.tactic]
47id = "TA0011"
48name = "Command and Control"
49reference = "https://attack.mitre.org/tactics/TA0011/"
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1048"
54name = "Exfiltration Over Alternative Protocol"
55reference = "https://attack.mitre.org/techniques/T1048/"
56
57
58[rule.threat.tactic]
59id = "TA0010"
60name = "Exfiltration"
61reference = "https://attack.mitre.org/tactics/TA0010/"

References

Related rules

to-top