MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1021.005: VNC

Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.

VNC differs from Remote Desktop Protocol as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.

Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_command_and_control: PT-CR-1839: VNC_Connection: A VNC connection was detected
mitre_attck_command_and_control: PT-CR-2318: Remote_Administration_Tools_Usage: A remote administration utility was used

Detection

IDDS0029Data source and componentNetwork Traffic: Network Connection CreationDescription

Monitor for newly constructed network connections that may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). For example, on macOS systems the screensharingd process may be related to VNC connection activity.

IDDS0028Data source and componentLogon Session: Logon Session CreationDescription

Monitor for user accounts logged into systems that may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). For example, on macOS systems log show --predicate 'process = "screensharingd" and eventMessage contains "Authentication:"' can be used to review incoming VNC connection attempts for suspicious activity.

Mitigation

IDM1042NameDisable or Remove Feature or ProgramDescription

Uninstall any VNC server software where not required.

IDM1037NameFilter Network TrafficDescription

VNC defaults to TCP ports 5900 for the server, 5800 for browser access, and 5500 for a viewer in listening mode. Filtering or blocking these ports will inhibit VNC traffic utilizing default ports.

IDM1047NameAuditDescription

Inventory workstations for unauthorized VNC server software.

IDM1033NameLimit Software InstallationDescription

Restrict software installation to user groups that require it. A VNC server must be manually installed by the user or adversary.