Techniques
Sample rules
SMTP to the Internet on Port 26/TCP
- source: elastic
- technicques:
- T1048
- T1071
- T1571
Description
This rule detects events that may indicate use of SMTP on TCP port 26 from an internal host to an external destination. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems. The rule is scoped to outbound traffic (internal source to external destination) to focus on the command and control and exfiltration use cases, rather than benign internal mail relays or unrelated transit traffic observed by the sensor.
Detection logic
(data_stream.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and
network.transport:tcp and destination.port:26 and
source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and
not destination.ip:(10.0.0.0/8
or 100.64.0.0/10
or 127.0.0.0/8
or 169.254.0.0/16
or 172.16.0.0/12
or 192.0.0.0/24
or 192.0.0.0/29
or 192.0.0.10/32
or 192.0.0.170/32
or 192.0.0.171/32
or 192.0.0.8/32
or 192.0.0.9/32
or 192.0.2.0/24
or 192.168.0.0/16
or 192.175.48.0/24
or 192.31.196.0/24
or 192.52.193.0/24
or 192.88.99.0/24
or 198.18.0.0/15
or 198.51.100.0/24
or 203.0.113.0/24
or 224.0.0.0/4
or 240.0.0.0/4
or "::1"
or "FE80::/10"
or "FF00::/8")