Command & Control

External Remote Access

External Remote Access

Detection overview

The "External Remote Access" detection identifies attempts by external entities to establish remote connections to internal systems. This type of activity is often associated with malicious actors seeking unauthorized access to internal networks and resources, using tools and protocols like Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), SSH, and remote administration tools.

Triggers

  • An internal host is connecting to an external server and the pattern looks reversed from normal client to server traffic; the client appears to be receiving instructions from the server and a human on the outside appears to be controlling the exchange

Possible Root Causes

  • A host includes malware with remote access capability (e.g. Meterpreter, Poison Ivy) that connects to its C&C server and receives commands from a human operator
  • A user has intentionally installed and is using remote desktop access software and is accessing the host from the outside (e.g. GotoMyPC, RDP)
  • This behavior can also be exhibited through very active use of certain types of chat software that exposes similar human-driven behavior

Business Impact

  • Presence of malware with human-driven C&C is a property of targeted attacks
  • Business risk associated with outside human control of an internal host is very high
  • Provisioning of this style of remote access to internal hosts poses substantial risks as compromise of the service provides direct access into your network

Steps to Verify

  • Look at the detection details and the PCAP to determine whether this may be traffic from chat software
  • Check if a user has knowingly installed remote access software and decide whether the resulting risk is acceptable
  • Scan the computer for known malware and potentially reimage it, noting that some remote access toolkits leave no trace on disk and reside entirely in memory
External Remote Access

Possible root causes

Malicious Detection

  • An attacker attempting to gain unauthorized access to internal systems using stolen credentials or brute-force attacks.
  • Malware on an external host attempting to connect to internal systems to establish a command and control channel.
  • Exploitation of vulnerabilities in remote access services to gain unauthorized entry.

Benign Detection

  • IT administrators accessing internal systems remotely for legitimate maintenance or support activities.
  • Remote workers using VPN or remote access tools to connect to the corporate network.
  • Authorized third-party vendors performing remote support or system updates.
External Remote Access

Example scenarios

Scenario 1: An internal server receives multiple remote access attempts via RDP from an external IP address. Investigation reveals that an attacker used stolen credentials to attempt unauthorized access during off-hours.

Scenario 2: A sudden increase in SSH connection attempts from an external IP is detected. Further analysis indicates that a legitimate third-party vendor was performing scheduled maintenance, causing the detection to trigger.

External Remote Access

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Unauthorized Access

Successful external remote access by malicious actors can lead to unauthorized access to sensitive data and critical systems.

Data Breach

Attackers can exfiltrate data, leading to potential financial and reputational damage.

Compromise of Network Integrity

Unauthorized remote access can be used as a foothold to launch further attacks, including lateral movement, privilege escalation, and deployment of malware.

External Remote Access

Steps to investigate

FAQs

What is External Remote Access?

How can I detect External Remote Access in my network?

What are the common signs of External Remote Access?

Why is External Remote Access a significant threat?

Can legitimate software trigger this detection?

What steps should I take if I detect External Remote Access?

How does Vectra AI identify External Remote Access?

What tools can help verify the presence of External Remote Access?

What is the business impact of External Remote Access?

How can I prevent External Remote Access?