VNC (Virtual Network Computing) to the Internet

This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3integration = ["network_traffic", "panw"]
 4maturity = "production"
 5updated_date = "2024/09/18"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by
11system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
12directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
13backdoor vector.
14"""
15false_positives = [
16    """
17    VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by
18    engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and
19    support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage
20    that is unfamiliar to server or network owners can be unexpected and suspicious.
21    """,
22]
23from = "now-9m"
24index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "VNC (Virtual Network Computing) to the Internet"
28references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
29risk_score = 47
30rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf"
31severity = "medium"
32tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37(event.dataset: network_traffic.flow  or (event.category: (network or network_traffic))) and
38  network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and
39  source.ip:(
40    10.0.0.0/8 or
41    172.16.0.0/12 or
42    192.168.0.0/16
43  ) and
44  not destination.ip:(
45    10.0.0.0/8 or
46    127.0.0.0/8 or
47    169.254.0.0/16 or
48    172.16.0.0/12 or
49    192.0.0.0/24 or
50    192.0.0.0/29 or
51    192.0.0.8/32 or
52    192.0.0.9/32 or
53    192.0.0.10/32 or
54    192.0.0.170/32 or
55    192.0.0.171/32 or
56    192.0.2.0/24 or
57    192.31.196.0/24 or
58    192.52.193.0/24 or
59    192.168.0.0/16 or
60    192.88.99.0/24 or
61    224.0.0.0/4 or
62    100.64.0.0/10 or
63    192.175.48.0/24 or
64    198.18.0.0/15 or
65    198.51.100.0/24 or
66    203.0.113.0/24 or
67    240.0.0.0/4 or
68    "::1" or
69    "FE80::/10" or
70    "FF00::/8"
71  )
72'''
73
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1219"
79name = "Remote Access Software"
80reference = "https://attack.mitre.org/techniques/T1219/"
81
82
83[rule.threat.tactic]
84id = "TA0011"
85name = "Command and Control"
86reference = "https://attack.mitre.org/tactics/TA0011/"

References

Related rules

to-top