{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/actors/badpatch/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["BadPatch"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["command-and-control","exfiltration","network-traffic"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies suspicious SMTP activity occurring over TCP port 26. While standard SMTP traffic typically uses port 25, port 26 is sometimes used as an alternative to avoid conflicts or restrictions. The BadPatch malware family has been known to leverage port 26 for command and control (C2) communications with compromised Windows systems. This activity is considered suspicious because legitimate uses of SMTP on port 26 are less common and can indicate malicious activity, such as covert C2 channels used by malware like BadPatch. The rule analyzes network traffic to detect SMTP communication occurring on this non-standard port, helping to identify potential infections or unauthorized network activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial infection occurs via an unspecified method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eMalware establishes a foothold on the compromised system.\u003c/li\u003e\n\u003cli\u003eMalware configures itself to use SMTP on port 26 for C2 communications.\u003c/li\u003e\n\u003cli\u003eThe infected host initiates a TCP connection to a remote server on port 26.\u003c/li\u003e\n\u003cli\u003eThe malware sends commands to the infected host over the SMTP connection on port 26.\u003c/li\u003e\n\u003cli\u003eThe infected host executes the received commands.\u003c/li\u003e\n\u003cli\u003eThe malware may exfiltrate data to the remote server over the SMTP connection on port 26.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems may be remotely controlled by attackers, leading to data theft, malware propagation, or further malicious activities. The use of non-standard ports like 26 can help attackers evade detection. If successful, an attacker can maintain persistence and control over the compromised system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SMTP Traffic on TCP Port 26\u003c/code\u003e to your SIEM and tune for your environment to detect potential command and control activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any network connections on TCP port 26 to identify potentially malicious SMTP traffic.\u003c/li\u003e\n\u003cli\u003eReview network traffic logs focusing on \u003ccode\u003enetwork_traffic.flow\u003c/code\u003e or \u003ccode\u003ezeek.smtp\u003c/code\u003e events to detect unusual patterns associated with TCP port 26.\u003c/li\u003e\n\u003cli\u003eImplement firewall rules to block unauthorized SMTP traffic on port 26.\u003c/li\u003e\n\u003cli\u003eExamine source and destination IP addresses of traffic on port 26, and correlate with threat intelligence sources to identify known malicious actors as per the references.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-smtp-port-26/","summary":"This rule detects SMTP traffic on TCP port 26, an alternative to the standard port 25 that the BadPatch malware family has used for command and control of Windows systems.","title":"Suspicious SMTP Activity on Port 26/TCP","url":"https://feed.craftedsignal.io/briefs/2024-01-03-smtp-port-26/"}],"language":"en","title":"CraftedSignal Threat Feed — BadPatch","version":"https://jsonfeed.org/version/1.1"}