SMTP on Port 26/TCP

Last updated a year ago on 2025-01-15

Created 6 years ago on 2020-02-18

About

This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.

Tags

Tactic: Command and ControlDomain: EndpointUse Case: Threat DetectionData Source: PAN-OSLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

Exfiltration (TA0010)(external, opens in a new tab or window)

↳ Exfiltration Over Alternative Protocol (T1048)(external, opens in a new tab or window)

False Positive Examples

Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Query (Kibana Query Language)

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

packetbeat-*auditbeat-*filebeat-*logs-network_traffic.*logs-panw.panos*

Related Integrations

network_traffic(external, opens in a new tab or window)

panw(external, opens in a new tab or window)

Query

✄𐘗text code block:
✄𐘗(event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26

Install detection rules in Elastic Security

Detect SMTP on Port 26/TCP in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).