Suspicious SMTP Activity on Port 26/TCP

This detection rule identifies suspicious SMTP activity occurring over TCP port 26. While standard SMTP traffic typically uses port 25, port 26 is sometimes used as an alternative to avoid conflicts or restrictions. The BadPatch malware family has been known to leverage port 26 for command and control (C2) communications with compromised Windows systems. This activity is considered suspicious because legitimate uses of SMTP on port 26 are less common and can indicate malicious activity, such as covert C2 channels used by malware like BadPatch. The rule analyzes network traffic to detect SMTP communication occurring on this non-standard port, helping to identify potential infections or unauthorized network activity.

Attack Chain

1. Initial infection occurs via an unspecified method (e.g., phishing, exploit).
2. Malware establishes a foothold on the compromised system.
3. Malware configures itself to use SMTP on port 26 for C2 communications.
4. The infected host initiates a TCP connection to a remote server on port 26.
5. The malware sends commands to the infected host over the SMTP connection on port 26.
6. The infected host executes the received commands.
7. The malware may exfiltrate data to the remote server over the SMTP connection on port 26.

Impact

Compromised systems may be remotely controlled by attackers, leading to data theft, malware propagation, or further malicious activities. The use of non-standard ports like 26 can help attackers evade detection. If successful, an attacker can maintain persistence and control over the compromised system.

Recommendation

• Deploy the Sigma rule Detect SMTP Traffic on TCP Port 26 to your SIEM and tune for your environment to detect potential command and control activity.
• Investigate any network connections on TCP port 26 to identify potentially malicious SMTP traffic.
• Review network traffic logs focusing on network_traffic.flow or zeek.smtp events to detect unusual patterns associated with TCP port 26.
• Implement firewall rules to block unauthorized SMTP traffic on port 26.
• Examine source and destination IP addresses of traffic on port 26, and correlate with threat intelligence sources to identify known malicious actors as per the references.