VNC (Virtual Network Computing) from the Internet

  1[metadata]
  2creation_date = "2020/02/18"
  3integration = ["network_traffic"]
  4maturity = "production"
  5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
  6min_stack_version = "8.3.0"
  7updated_date = "2023/08/17"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by
 13system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
 14directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
 15backdoor vector.
 16"""
 17false_positives = [
 18    """
 19    VNC connections may be received directly to Linux cloud server instances but such connections are usually made only
 20    by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and
 21    support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage
 22    that is unfamiliar to server or network owners can be unexpected and suspicious.
 23    """,
 24]
 25from = "now-9m"
 26index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
 27language = "kuery"
 28license = "Elastic License v2"
 29name = "VNC (Virtual Network Computing) from the Internet"
 30references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 31risk_score = 73
 32rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8"
 33severity = "high"
 34tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
 35timestamp_override = "event.ingested"
 36type = "query"
 37
 38query = '''
 39(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
 40  network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and
 41  not source.ip:(
 42    10.0.0.0/8 or
 43    127.0.0.0/8 or
 44    169.254.0.0/16 or
 45    172.16.0.0/12 or
 46    192.0.0.0/24 or
 47    192.0.0.0/29 or
 48    192.0.0.8/32 or
 49    192.0.0.9/32 or
 50    192.0.0.10/32 or
 51    192.0.0.170/32 or
 52    192.0.0.171/32 or
 53    192.0.2.0/24 or
 54    192.31.196.0/24 or
 55    192.52.193.0/24 or
 56    192.168.0.0/16 or
 57    192.88.99.0/24 or
 58    224.0.0.0/4 or
 59    100.64.0.0/10 or
 60    192.175.48.0/24 or
 61    198.18.0.0/15 or
 62    198.51.100.0/24 or
 63    203.0.113.0/24 or
 64    240.0.0.0/4 or
 65    "::1" or
 66    "FE80::/10" or
 67    "FF00::/8"
 68  ) and
 69  destination.ip:(
 70    10.0.0.0/8 or
 71    172.16.0.0/12 or
 72    192.168.0.0/16
 73  )
 74'''
 75
 76
 77[[rule.threat]]
 78framework = "MITRE ATT&CK"
 79[[rule.threat.technique]]
 80id = "T1219"
 81name = "Remote Access Software"
 82reference = "https://attack.mitre.org/techniques/T1219/"
 83
 84
 85[rule.threat.tactic]
 86id = "TA0011"
 87name = "Command and Control"
 88reference = "https://attack.mitre.org/tactics/TA0011/"
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1190"
 93name = "Exploit Public-Facing Application"
 94reference = "https://attack.mitre.org/techniques/T1190/"
 95
 96
 97[rule.threat.tactic]
 98id = "TA0001"
 99name = "Initial Access"
100reference = "https://attack.mitre.org/tactics/TA0001/"