VNC (Virtual Network Computing) to the Internet

  1[metadata]
  2creation_date = "2020/02/18"
  3integration = ["network_traffic", "panw"]
  4maturity = "production"
  5updated_date = "2025/05/05"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by
 11system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
 12directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
 13backdoor vector.
 14"""
 15false_positives = [
 16    """
 17    VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by
 18    engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and
 19    support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage
 20    that is unfamiliar to server or network owners can be unexpected and suspicious.
 21    """,
 22]
 23from = "now-9m"
 24index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "VNC (Virtual Network Computing) to the Internet"
 28references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 29risk_score = 47
 30rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf"
 31severity = "medium"
 32tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
 33timestamp_override = "event.ingested"
 34type = "query"
 35
 36query = '''
 37(event.dataset: network_traffic.flow  or (event.category: (network or network_traffic))) and
 38  network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and
 39  source.ip:(
 40    10.0.0.0/8 or
 41    172.16.0.0/12 or
 42    192.168.0.0/16
 43  ) and
 44  not destination.ip:(
 45    10.0.0.0/8 or
 46    127.0.0.0/8 or
 47    169.254.0.0/16 or
 48    172.16.0.0/12 or
 49    192.0.0.0/24 or
 50    192.0.0.0/29 or
 51    192.0.0.8/32 or
 52    192.0.0.9/32 or
 53    192.0.0.10/32 or
 54    192.0.0.170/32 or
 55    192.0.0.171/32 or
 56    192.0.2.0/24 or
 57    192.31.196.0/24 or
 58    192.52.193.0/24 or
 59    192.168.0.0/16 or
 60    192.88.99.0/24 or
 61    224.0.0.0/4 or
 62    100.64.0.0/10 or
 63    192.175.48.0/24 or
 64    198.18.0.0/15 or
 65    198.51.100.0/24 or
 66    203.0.113.0/24 or
 67    240.0.0.0/4 or
 68    "::1" or
 69    "FE80::/10" or
 70    "FF00::/8"
 71  )
 72'''
 73note = """## Triage and analysis
 74
 75> **Disclaimer**:
 76> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 77
 78### Investigating VNC (Virtual Network Computing) to the Internet
 79
 80VNC is a tool that allows remote control of computers, often used by administrators for maintenance. However, when exposed to the internet, it becomes a target for attackers seeking unauthorized access. Adversaries exploit VNC to establish backdoors or gain initial access. The detection rule identifies suspicious VNC traffic by monitoring specific TCP ports and filtering out internal IP addresses, flagging potential threats when VNC is accessed from external networks.
 81
 82### Possible investigation steps
 83
 84- Review the source IP address to determine if it belongs to a known internal asset or user, and verify if the access was authorized.
 85- Check the destination IP address to confirm if it is an external address and investigate its reputation or any known associations with malicious activity.
 86- Analyze the network traffic logs for the specified TCP ports (5800-5810) to identify any unusual patterns or volumes of VNC traffic.
 87- Correlate the VNC traffic event with other security events or logs to identify any related suspicious activities or anomalies.
 88- Investigate the user account associated with the VNC session to ensure it has not been compromised or misused.
 89- Assess the system or application logs on the destination machine for any signs of unauthorized access or changes during the time of the VNC connection.
 90
 91### False positive analysis
 92
 93- Internal maintenance activities may trigger the rule if VNC is used for legitimate remote administration. To manage this, create exceptions for known internal IP addresses that frequently use VNC for maintenance.
 94- Automated scripts or tools that use VNC for legitimate purposes might be flagged. Identify these tools and whitelist their IP addresses to prevent unnecessary alerts.
 95- Testing environments that simulate external access to VNC for security assessments can cause false positives. Exclude IP ranges associated with these environments to avoid confusion.
 96- Cloud-based services that use VNC for remote management might be misidentified as threats. Verify these services and add their IP addresses to an exception list if they are trusted.
 97- Temporary remote access setups for troubleshooting or support can be mistaken for unauthorized access. Document these instances and apply temporary exceptions to reduce false alerts.
 98
 99### Response and remediation
100
101- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
102- Terminate any active VNC sessions that are identified as originating from external networks to cut off potential attacker access.
103- Conduct a thorough review of system logs and network traffic to identify any unauthorized access or data transfer that may have occurred during the VNC exposure.
104- Change all passwords and credentials associated with the affected system and any other systems that may have been accessed using the same credentials.
105- Apply necessary patches and updates to the VNC software and any other vulnerable applications on the affected system to mitigate known vulnerabilities.
106- Implement network segmentation to ensure that VNC services are only accessible from trusted internal networks and not exposed to the internet.
107- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be compromised."""
108
109
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112[[rule.threat.technique]]
113id = "T1219"
114name = "Remote Access Tools"
115reference = "https://attack.mitre.org/techniques/T1219/"
116
117
118[rule.threat.tactic]
119id = "TA0011"
120name = "Command and Control"
121reference = "https://attack.mitre.org/tactics/TA0011/"