Command & Control
External Remote Access
Detection overview
The "External Remote Access" detection identifies attempts by external entities to establish remote connections to internal systems. This type of activity is often associated with malicious actors seeking unauthorized access to internal networks and resources, using tools and protocols like Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), SSH, and remote administration tools.
Triggers
- An internal host is connecting to an external server and the pattern looks reversed from normal client to server traffic; the client appears to be receiving instructions from the server and a human on the outside appears to be controlling the exchange
Possible Root Causes
- A host includes malware with remote access capability (e.g. Meterpreter, Poison Ivy) that connects to its C&C server and receives commands from a human operator
- A user has intentionally installed and is using remote desktop access software and is accessing the host from the outside (e.g. GotoMyPC, RDP)
- This behavior can also be exhibited through very active use of certain types of chat software that exposes similar human-driven behavior
Business Impact
- Presence of malware with human-driven C&C is a property of targeted attacks
- Business risk associated with outside human control of an internal host is very high
- Provisioning of this style of remote access to internal hosts poses substantial risks as compromise of the service provides direct access into your network
Steps to Verify
- Look at the detection details and the PCAP to determine whether this may be traffic from chat software
- Check if a user has knowingly installed remote access software and decide whether the resulting risk is acceptable
- Scan the computer for known malware and potentially reimage it, noting that some remote access toolkits leave no trace on disk and reside entirely in memory
External Remote Access
Possible root causes
Malicious Detection
- An attacker attempting to gain unauthorized access to internal systems using stolen credentials or brute-force attacks.
- Malware on an external host attempting to connect to internal systems to establish a command and control channel.
- Exploitation of vulnerabilities in remote access services to gain unauthorized entry.
Benign Detection
- IT administrators accessing internal systems remotely for legitimate maintenance or support activities.
- Remote workers using VPN or remote access tools to connect to the corporate network.
- Authorized third-party vendors performing remote support or system updates.
External Remote Access
Example scenarios
Scenario 1: An internal server receives multiple remote access attempts via RDP from an external IP address. Investigation reveals that an attacker used stolen credentials to attempt unauthorized access during off-hours.
Scenario 2: A sudden increase in SSH connection attempts from an external IP is detected. Further analysis indicates that a legitimate third-party vendor was performing scheduled maintenance, causing the detection to trigger.
External Remote Access
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Unauthorized Access
Successful external remote access by malicious actors can lead to unauthorized access to sensitive data and critical systems.
Data Breach
Attackers can exfiltrate data, leading to potential financial and reputational damage.
Compromise of Network Integrity
Unauthorized remote access can be used as a foothold to launch further attacks, including lateral movement, privilege escalation, and deployment of malware.
External Remote Access
Steps to investigate
Review Remote Access Logs
Examine logs for remote access attempts, focusing on the frequency, source IP addresses, and times of the attempts.
Identify the Source
Determine if the source of the remote access attempts is known and authorized. Check if the IP address belongs to a trusted entity.
Check for Associated Activity
Look for other signs of compromise or related suspicious behavior, such as failed login attempts, unusual network traffic, or malware alerts.
Consult with IT and Security Teams
Confirm if any authorized remote access activities were scheduled or performed by IT administrators, remote workers, or third-party vendors.
External Remote Access
MITRE ATT&CK techniques covered
External Remote Access
Related detections
FAQs
What is External Remote Access?
External Remote Access involves attempts by external entities to establish remote connections to internal systems using tools and protocols like RDP, VNC, SSH, and remote administration tools.
What are the common signs of External Remote Access?
Common signs include remote access attempts from unknown or unauthorized external IP addresses, high frequency of connection attempts, use of non-standard ports or protocols, and successful connections following multiple failed attempts.
Can legitimate software trigger this detection?
Yes, legitimate IT maintenance, remote work, and third-party support activities can generate remote access traffic that may trigger this detection.
How does Vectra AI identify External Remote Access?
Vectra AI uses advanced AI algorithms and machine learning to analyze remote access patterns and identify anomalies indicative of unauthorized external remote access attempts.
What is the business impact of External Remote Access?
It can lead to unauthorized access, data breaches, and network compromise, resulting in financial and reputational damage.
How can I detect External Remote Access in my network?
Detect External Remote Access by monitoring for unusual or unauthorized remote connection attempts, high frequency of remote access, use of uncommon ports or protocols, and repeated failed login attempts.
Why is External Remote Access a significant threat?
It can lead to unauthorized access, data breaches, and compromise of network integrity, as attackers use remote access to gain a foothold in the network and launch further attacks.
What steps should I take if I detect External Remote Access?
Investigate the source and scope of the remote access attempts, check for signs of compromise, review remote access logs, and consult with IT and security teams to verify if the activity is legitimate.
What tools can help verify the presence of External Remote Access?
Tools such as remote access logs, firewall logs, and network traffic analysis can help verify and investigate suspicious external remote access activities.
How can I prevent External Remote Access?
Implement robust remote access monitoring, enforce strict access controls, regularly update and patch remote access services, and use multi-factor authentication (MFA) to minimize vulnerabilities.