VNC (Virtual Network Computing) from the Internet
This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["network_traffic", "panw"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by
11system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
12directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
13backdoor vector.
14"""
15false_positives = [
16 """
17 VNC connections may be received directly to Linux cloud server instances but such connections are usually made only
18 by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and
19 support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage
20 that is unfamiliar to server or network owners can be unexpected and suspicious.
21 """,
22]
23from = "now-9m"
24index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "VNC (Virtual Network Computing) from the Internet"
28references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
29risk_score = 73
30rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8"
31severity = "high"
32tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
38 network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and
39 not source.ip:(
40 10.0.0.0/8 or
41 127.0.0.0/8 or
42 169.254.0.0/16 or
43 172.16.0.0/12 or
44 192.0.0.0/24 or
45 192.0.0.0/29 or
46 192.0.0.8/32 or
47 192.0.0.9/32 or
48 192.0.0.10/32 or
49 192.0.0.170/32 or
50 192.0.0.171/32 or
51 192.0.2.0/24 or
52 192.31.196.0/24 or
53 192.52.193.0/24 or
54 192.168.0.0/16 or
55 192.88.99.0/24 or
56 224.0.0.0/4 or
57 100.64.0.0/10 or
58 192.175.48.0/24 or
59 198.18.0.0/15 or
60 198.51.100.0/24 or
61 203.0.113.0/24 or
62 240.0.0.0/4 or
63 "::1" or
64 "FE80::/10" or
65 "FF00::/8"
66 ) and
67 destination.ip:(
68 10.0.0.0/8 or
69 172.16.0.0/12 or
70 192.168.0.0/16
71 )
72'''
73note = """## Triage and analysis
74
75> **Disclaimer**:
76> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
77
78### Investigating VNC (Virtual Network Computing) from the Internet
79
80VNC allows remote control of systems, facilitating maintenance and resource sharing. However, when exposed to the Internet, it becomes a target for attackers seeking unauthorized access. Adversaries exploit VNC for initial access or as a backdoor. The detection rule identifies suspicious VNC traffic by monitoring specific TCP ports and filtering out trusted IP ranges, flagging potential threats for further investigation.
81
82### Possible investigation steps
83
84- Review the source IP address of the alert to determine if it is from an untrusted or suspicious location, as the rule filters out known trusted IP ranges.
85- Check the destination IP address to confirm it belongs to an internal network (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) and verify if the system is authorized to receive VNC traffic.
86- Analyze the network traffic logs for the specified TCP ports (5800-5810) to identify any unusual patterns or repeated access attempts that could indicate malicious activity.
87- Investigate the context of the event by correlating it with other security alerts or logs to determine if there are signs of a broader attack or compromise.
88- Assess the risk and impact of the potential threat by evaluating the criticality of the affected system and any sensitive data it may contain.
89
90### False positive analysis
91
92- Internal testing or maintenance activities may trigger the rule if VNC is used for legitimate purposes within a controlled environment. To manage this, create exceptions for known internal IP addresses that frequently use VNC for authorized tasks.
93- Automated systems or scripts that utilize VNC for routine operations might be flagged. Identify these systems and exclude their IP addresses from the rule to prevent unnecessary alerts.
94- Remote workers using VPNs that route traffic through public IPs could be mistakenly identified as threats. Ensure that VPN IP ranges are included in the trusted IP list to avoid false positives.
95- Misconfigured network devices that inadvertently expose VNC ports to the Internet can cause alerts. Regularly audit network configurations to ensure VNC ports are not exposed and adjust the rule to exclude known safe configurations.
96- Third-party service providers accessing systems via VNC for support purposes might be flagged. Establish a list of trusted IPs for these providers and update the rule to exclude them from detection.
97
98### Response and remediation
99
100- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
101- Terminate any active VNC sessions originating from untrusted IP addresses to cut off potential attacker access.
102- Conduct a thorough review of system logs and network traffic to identify any unauthorized changes or data access that may have occurred during the VNC session.
103- Reset credentials for any accounts that were accessed or could have been compromised during the unauthorized VNC session.
104- Apply security patches and updates to the VNC software and any other potentially vulnerable applications on the affected system.
105- Implement network segmentation to ensure that VNC services are only accessible from trusted internal networks and not exposed to the Internet.
106- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected."""
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1219"
113name = "Remote Access Software"
114reference = "https://attack.mitre.org/techniques/T1219/"
115
116
117[rule.threat.tactic]
118id = "TA0011"
119name = "Command and Control"
120reference = "https://attack.mitre.org/tactics/TA0011/"
121[[rule.threat]]
122framework = "MITRE ATT&CK"
123[[rule.threat.technique]]
124id = "T1190"
125name = "Exploit Public-Facing Application"
126reference = "https://attack.mitre.org/techniques/T1190/"
127
128
129[rule.threat.tactic]
130id = "TA0001"
131name = "Initial Access"
132reference = "https://attack.mitre.org/tactics/TA0001/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating VNC (Virtual Network Computing) from the Internet
VNC allows remote control of systems, facilitating maintenance and resource sharing. However, when exposed to the Internet, it becomes a target for attackers seeking unauthorized access. Adversaries exploit VNC for initial access or as a backdoor. The detection rule identifies suspicious VNC traffic by monitoring specific TCP ports and filtering out trusted IP ranges, flagging potential threats for further investigation.
Possible investigation steps
- Review the source IP address of the alert to determine if it is from an untrusted or suspicious location, as the rule filters out known trusted IP ranges.
- Check the destination IP address to confirm it belongs to an internal network (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) and verify if the system is authorized to receive VNC traffic.
- Analyze the network traffic logs for the specified TCP ports (5800-5810) to identify any unusual patterns or repeated access attempts that could indicate malicious activity.
- Investigate the context of the event by correlating it with other security alerts or logs to determine if there are signs of a broader attack or compromise.
- Assess the risk and impact of the potential threat by evaluating the criticality of the affected system and any sensitive data it may contain.
False positive analysis
- Internal testing or maintenance activities may trigger the rule if VNC is used for legitimate purposes within a controlled environment. To manage this, create exceptions for known internal IP addresses that frequently use VNC for authorized tasks.
- Automated systems or scripts that utilize VNC for routine operations might be flagged. Identify these systems and exclude their IP addresses from the rule to prevent unnecessary alerts.
- Remote workers using VPNs that route traffic through public IPs could be mistakenly identified as threats. Ensure that VPN IP ranges are included in the trusted IP list to avoid false positives.
- Misconfigured network devices that inadvertently expose VNC ports to the Internet can cause alerts. Regularly audit network configurations to ensure VNC ports are not exposed and adjust the rule to exclude known safe configurations.
- Third-party service providers accessing systems via VNC for support purposes might be flagged. Establish a list of trusted IPs for these providers and update the rule to exclude them from detection.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
- Terminate any active VNC sessions originating from untrusted IP addresses to cut off potential attacker access.
- Conduct a thorough review of system logs and network traffic to identify any unauthorized changes or data access that may have occurred during the VNC session.
- Reset credentials for any accounts that were accessed or could have been compromised during the unauthorized VNC session.
- Apply security patches and updates to the VNC software and any other potentially vulnerable applications on the affected system.
- Implement network segmentation to ensure that VNC services are only accessible from trusted internal networks and not exposed to the Internet.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.
References
Related rules
- Accepted Default Telnet Port Connection
- IPSEC NAT Traversal Port Activity
- Possible FIN7 DGA Command and Control Behavior
- RDP (Remote Desktop Protocol) from the Internet
- Roshal Archive (RAR) or PowerShell File Downloaded from the Internet