Accepted Default Telnet Port Connection

This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/02/18"
  3integration = ["network_traffic", "panw"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system
 11administrators to remotely control older or embedded systems using the command line shell. It should almost never be
 12directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
 13backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the
 14traffic.
 15"""
 16false_positives = [
 17    """
 18    IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business
 19    work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet
 20    activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production
 21    server that has no known associated Telnet work-flow or business requirement is often suspicious.
 22    """,
 23]
 24from = "now-9m"
 25index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "Accepted Default Telnet Port Connection"
 29risk_score = 47
 30rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269"
 31severity = "medium"
 32tags = [
 33    "Domain: Endpoint",
 34    "Use Case: Threat Detection",
 35    "Tactic: Command and Control",
 36    "Tactic: Lateral Movement",
 37    "Tactic: Initial Access",
 38    "Data Source: PAN-OS",
 39    "Resources: Investigation Guide"
 40]
 41timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
 42timeline_title = "Comprehensive Network Timeline"
 43timestamp_override = "event.ingested"
 44type = "query"
 45
 46query = '''
 47(event.dataset:network_traffic.flow or event.category:(network or network_traffic))
 48    and event.type:connection and not event.action:(
 49        flow_dropped or flow_denied or denied or deny or
 50        flow_terminated or timeout or Reject or network_flow)
 51    and destination.port:23
 52'''
 53note = """## Triage and analysis
 54
 55> **Disclaimer**:
 56> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 57
 58### Investigating Accepted Default Telnet Port Connection
 59
 60Telnet, a protocol for remote command-line access, is often used in legacy systems. Its lack of encryption makes it vulnerable, allowing attackers to intercept credentials or use it as a backdoor. The detection rule identifies unencrypted Telnet traffic on port 23, flagging connections that bypass typical security measures, thus highlighting potential unauthorized access attempts.
 61
 62### Possible investigation steps
 63
 64- Review the network traffic logs to identify the source IP address associated with the Telnet connection on port 23. Determine if the source IP is internal or external to the organization.
 65- Check the destination IP address to ascertain if it belongs to a critical system or a legacy device that might still use Telnet for management purposes.
 66- Investigate the timeline of the connection event to see if there are any patterns or repeated attempts, which could indicate a persistent threat or automated attack.
 67- Analyze any associated user accounts or credentials used during the Telnet session to verify if they are legitimate and authorized for remote access.
 68- Correlate the Telnet connection event with other security alerts or logs to identify any related suspicious activities, such as failed login attempts or unusual data transfers.
 69- Assess the network segment where the Telnet traffic was detected to determine if it is appropriately segmented and secured against unauthorized access.
 70- Consider implementing network security measures, such as disabling Telnet on devices or replacing it with secure alternatives like SSH, to prevent future unauthorized access attempts.
 71
 72### False positive analysis
 73
 74- Legacy systems or devices that require Telnet for management may trigger alerts. To manage this, create exceptions for specific IP addresses or subnets known to host these systems.
 75- Internal network monitoring tools that use Telnet for legitimate purposes might be flagged. Identify these tools and exclude their traffic from the rule to prevent unnecessary alerts.
 76- Lab environments or test networks where Telnet is used for educational or testing purposes can cause false positives. Implement network segmentation and apply exceptions to these environments to reduce noise.
 77- Automated scripts or maintenance tasks that utilize Telnet for routine operations may be mistakenly identified. Document these tasks and whitelist their associated traffic patterns to avoid false alerts.
 78
 79### Response and remediation
 80
 81- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 82- Terminate any active Telnet sessions on the affected system to disrupt potential attacker activities.
 83- Conduct a thorough review of system logs and network traffic to identify any unauthorized access or data manipulation that may have occurred.
 84- Change all credentials that may have been exposed through Telnet traffic, prioritizing those with administrative privileges.
 85- Implement network segmentation to restrict Telnet access to only necessary internal systems, ensuring it is not exposed to the internet.
 86- Deploy encryption protocols such as SSH to replace Telnet for remote command-line access, enhancing security for remote management.
 87- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for additional security measures."""
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92
 93[rule.threat.tactic]
 94id = "TA0011"
 95name = "Command and Control"
 96reference = "https://attack.mitre.org/tactics/TA0011/"
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99[[rule.threat.technique]]
100id = "T1021"
101name = "Remote Services"
102reference = "https://attack.mitre.org/techniques/T1021/"
103
104
105[rule.threat.tactic]
106id = "TA0008"
107name = "Lateral Movement"
108reference = "https://attack.mitre.org/tactics/TA0008/"
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1190"
113name = "Exploit Public-Facing Application"
114reference = "https://attack.mitre.org/techniques/T1190/"
115
116
117[rule.threat.tactic]
118id = "TA0001"
119name = "Initial Access"
120reference = "https://attack.mitre.org/tactics/TA0001/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Telnet, a protocol for remote command-line access, is often used in legacy systems. Its lack of encryption makes it vulnerable, allowing attackers to intercept credentials or use it as a backdoor. The detection rule identifies unencrypted Telnet traffic on port 23, flagging connections that bypass typical security measures, thus highlighting potential unauthorized access attempts.

  • Review the network traffic logs to identify the source IP address associated with the Telnet connection on port 23. Determine if the source IP is internal or external to the organization.
  • Check the destination IP address to ascertain if it belongs to a critical system or a legacy device that might still use Telnet for management purposes.
  • Investigate the timeline of the connection event to see if there are any patterns or repeated attempts, which could indicate a persistent threat or automated attack.
  • Analyze any associated user accounts or credentials used during the Telnet session to verify if they are legitimate and authorized for remote access.
  • Correlate the Telnet connection event with other security alerts or logs to identify any related suspicious activities, such as failed login attempts or unusual data transfers.
  • Assess the network segment where the Telnet traffic was detected to determine if it is appropriately segmented and secured against unauthorized access.
  • Consider implementing network security measures, such as disabling Telnet on devices or replacing it with secure alternatives like SSH, to prevent future unauthorized access attempts.
  • Legacy systems or devices that require Telnet for management may trigger alerts. To manage this, create exceptions for specific IP addresses or subnets known to host these systems.
  • Internal network monitoring tools that use Telnet for legitimate purposes might be flagged. Identify these tools and exclude their traffic from the rule to prevent unnecessary alerts.
  • Lab environments or test networks where Telnet is used for educational or testing purposes can cause false positives. Implement network segmentation and apply exceptions to these environments to reduce noise.
  • Automated scripts or maintenance tasks that utilize Telnet for routine operations may be mistakenly identified. Document these tasks and whitelist their associated traffic patterns to avoid false alerts.
  • Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
  • Terminate any active Telnet sessions on the affected system to disrupt potential attacker activities.
  • Conduct a thorough review of system logs and network traffic to identify any unauthorized access or data manipulation that may have occurred.
  • Change all credentials that may have been exposed through Telnet traffic, prioritizing those with administrative privileges.
  • Implement network segmentation to restrict Telnet access to only necessary internal systems, ensuring it is not exposed to the internet.
  • Deploy encryption protocols such as SSH to replace Telnet for remote command-line access, enhancing security for remote management.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for additional security measures.

Related rules

to-top