SMTP to the Internet on Port 26/TCP

  1[metadata]
  2creation_date = "2020/02/18"
  3integration = ["network_traffic", "panw", "pfsense", "zeek", "corelight"]
  4maturity = "production"
  5updated_date = "2026/06/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects events that may indicate use of SMTP on TCP port 26 from an internal host to an external destination.
 11This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This
 12port has also been used by a malware family called BadPatch for command and control of Windows systems. The rule is
 13scoped to outbound traffic (internal source to external destination) to focus on the command and control and
 14exfiltration use cases, rather than benign internal mail relays or unrelated transit traffic observed by the sensor.
 15"""
 16false_positives = [
 17    """
 18    Internal hosts that legitimately send mail to external mail transfer agents listening on TCP port 26 may cause false
 19    positives. Mail servers or applications with known external SMTP relays can be excluded by source or destination IP
 20    address as this is expected behavior.
 21    """,
 22]
 23from = "now-9m"
 24index = ["logs-network_traffic.*", "logs-panw.panos*", "logs-pfsense.log-*", "logs-zeek.*", "logs-corelight.*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "SMTP to the Internet on Port 26/TCP"
 28references = [
 29    "https://unit42.paloaltonetworks.com/unit42-badpatch/",
 30    "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/",
 31]
 32risk_score = 21
 33rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
 34severity = "low"
 35tags = ["Tactic: Command and Control",
 36        "Tactic: Exfiltration",
 37        "Domain: Endpoint",
 38        "Use Case: Threat Detection",
 39        "Data Source: Corelight",
 40        "Data Source: PAN-OS",
 41        "Data Source: Network Traffic",
 42        "Data Source: pfSense",
 43        "Data Source: Zeek",
 44        "Resources: Investigation Guide"
 45]
 46timestamp_override = "event.ingested"
 47type = "query"
 48
 49query = '''
 50(data_stream.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and
 51  network.transport:tcp and destination.port:26 and
 52  source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and
 53  not destination.ip:(10.0.0.0/8
 54    or 100.64.0.0/10
 55    or 127.0.0.0/8
 56    or 169.254.0.0/16
 57    or 172.16.0.0/12
 58    or 192.0.0.0/24
 59    or 192.0.0.0/29
 60    or 192.0.0.10/32
 61    or 192.0.0.170/32
 62    or 192.0.0.171/32
 63    or 192.0.0.8/32
 64    or 192.0.0.9/32
 65    or 192.0.2.0/24
 66    or 192.168.0.0/16
 67    or 192.175.48.0/24
 68    or 192.31.196.0/24
 69    or 192.52.193.0/24
 70    or 192.88.99.0/24
 71    or 198.18.0.0/15
 72    or 198.51.100.0/24
 73    or 203.0.113.0/24
 74    or 224.0.0.0/4
 75    or 240.0.0.0/4
 76    or "::1"
 77    or "FE80::/10"
 78    or "FF00::/8")
 79'''
 80note = """## Triage and analysis
 81
 82> **Disclaimer**:
 83> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 84
 85### Investigating SMTP to the Internet on Port 26/TCP
 86
 87SMTP, typically operating on port 25, is crucial for email transmission. However, port 26 is often used to avoid conflicts or restrictions on port 25. Adversaries exploit this by using port 26 for covert command and control, as seen with the BadPatch malware. The detection rule identifies suspicious SMTP activity on port 26 originating from an internal host to an external destination, helping to uncover potential command and control or exfiltration while suppressing benign internal mail traffic.
 88
 89### Possible investigation steps
 90
 91- Review the network traffic logs to identify any unusual patterns or anomalies associated with TCP port 26, focusing on the event.dataset fields such as network_traffic.flow or zeek.smtp.
 92- Analyze the source and destination IP addresses involved in the alert to determine if they are known or associated with any previous suspicious activities.
 93- Check for any additional alerts or logs related to the same source or destination IP addresses to identify potential patterns or repeated attempts of communication on port 26.
 94- Investigate the context of the communication by examining the payload data, if available, to identify any indicators of compromise or malicious content.
 95- Correlate the findings with threat intelligence sources to determine if the IP addresses or domains are associated with known threat actors or malware, such as BadPatch.
 96- Assess the risk and impact on the affected systems by determining if any sensitive data or critical systems are involved in the communication on port 26.
 97
 98### False positive analysis
 99
100- Legitimate mail transfer agents may use port 26 to avoid conflicts with port 25. Identify these agents and create exceptions in the detection rule to prevent unnecessary alerts.
101- Some network configurations might reroute SMTP traffic to port 26 for load balancing or security reasons. Verify these configurations and whitelist known IP addresses or domains to reduce false positives.
102- Internal testing or development environments might use port 26 for non-malicious purposes. Document these environments and exclude their traffic from triggering alerts.
103- Certain email service providers may use port 26 as an alternative to port 25. Confirm these providers and adjust the rule to recognize their traffic as benign.
104
105### Response and remediation
106
107- Immediately isolate the affected system from the network to prevent further command and control communication via port 26.
108- Conduct a thorough scan of the isolated system using updated antivirus and anti-malware tools to identify and remove the BadPatch malware or any other malicious software.
109- Review and analyze network logs to identify any other systems that may have communicated with the same command and control server, and isolate those systems as well.
110- Change all passwords and credentials that may have been compromised or accessed by the affected system to prevent unauthorized access.
111- Apply security patches and updates to the affected system and any other vulnerable systems to mitigate exploitation by similar threats.
112- Monitor network traffic for any further suspicious activity on port 26 and other non-standard ports, adjusting firewall rules to block unauthorized SMTP traffic.
113- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to ensure comprehensive threat eradication."""
114
115
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118
119[[rule.threat.technique]]
120id = "T1071"
121name = "Application Layer Protocol"
122reference = "https://attack.mitre.org/techniques/T1071/"
123
124[[rule.threat.technique.subtechnique]]
125id = "T1071.003"
126name = "Mail Protocols"
127reference = "https://attack.mitre.org/techniques/T1071/003/"
128
129[[rule.threat.technique]]
130id = "T1571"
131name = "Non-Standard Port"
132reference = "https://attack.mitre.org/techniques/T1571/"
133
134[rule.threat.tactic]
135id = "TA0011"
136name = "Command and Control"
137reference = "https://attack.mitre.org/tactics/TA0011/"
138
139[[rule.threat]]
140framework = "MITRE ATT&CK"
141
142[[rule.threat.technique]]
143id = "T1048"
144name = "Exfiltration Over Alternative Protocol"
145reference = "https://attack.mitre.org/techniques/T1048/"
146
147[rule.threat.tactic]
148id = "TA0010"
149name = "Exfiltration"
150reference = "https://attack.mitre.org/tactics/TA0010/"