SMTP to the Internet on Port 26/TCP

Last updated 11 days ago on 2026-06-24
Created 6 years ago on 2020-02-18

About

This rule detects events that may indicate use of SMTP on TCP port 26 from an internal host to an external destination. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems. The rule is scoped to outbound traffic (internal source to external destination) to focus on the command and control and exfiltration use cases, rather than benign internal mail relays or unrelated transit traffic observed by the sensor.
Tags
Tactic: Command and ControlTactic: ExfiltrationDomain: EndpointUse Case: Threat DetectionData Source: CorelightData Source: PAN-OSData Source: Network TrafficData Source: pfSenseData Source: ZeekLanguage: kuery
Severity
low
Risk Score
21
MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

Exfiltration (TA0010)(external, opens in a new tab or window)

False Positive Examples
Internal hosts that legitimately send mail to external mail transfer agents listening on TCP port 26 may cause false positives. Mail servers or applications with known external SMTP relays can be excluded by source or destination IP address as this is expected behavior.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-network_traffic.*logs-panw.panos*logs-pfsense.log-*logs-zeek.*logs-corelight.*
Related Integrations

network_traffic(external, opens in a new tab or window)

panw(external, opens in a new tab or window)

pfsense(external, opens in a new tab or window)

zeek(external, opens in a new tab or window)

corelight(external, opens in a new tab or window)

Query
text code block:
(data_stream.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8")

Install detection rules in Elastic Security

Detect SMTP to the Internet on Port 26/TCP in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).