Keypoints
- VNC provides platform-independent screen sharing using the RFB protocol for remote control of display, mouse, and keyboard inputs.
- Adversaries often use valid credentials to access VNC, enabling actions as the logged-on user without creating new accounts.
- VNC can be configured to use system authentication or separate VNC-specific credentials, increasing attack surface if misconfigured.
- Detection requires correlating network connections, process launches, and logon session events with unusual access patterns.
- Vulnerabilities and weak/default credentials in VNC implementations enable brute force, memory exploits, and unauthenticated access.
Description:
- Like a remote puppeteer peering through a window, VNC lets someone see and manipulate another computerβs screen and controls from afar.
- VNC relays the remote framebuffer (screen) and input events over the network, letting adversaries operate as the logged-on user to open files, run commands, collect data, and pivot across a network; this matters because it provides stealthy, interactive access that can blend with legitimate admin activity.
Detection:
- Monitor authentication logs for VNC services: collect system and application logs showing VNC auth events (e.g., macOS screensharingd authentication messages) and alert on failed and unusual successful logins.
- Correlate network connection creation to known VNC ports (5900-5999) and detect connections from unusual source IPs or at odd hours using network flow or IDS sensors.
- Watch process creation for VNC server or client binaries and child processes that spawn shells, file transfers, or data collection tools after a VNC session starts.
- Track logon session creation and map sessions to interactive remote control activity; flag sessions where VNC is followed by lateral movement actions or credential access attempts.
- Use host-based EDR to detect typical post-login behaviors (file staging, command execution, discovery commands) and tie them to recent VNC sessions to reduce false positives.
- Monitor for default/test accounts and environment variables exposing credentials in VNC configurations; scan configurations and inventories to remediate weak credentials and misconfigurations.
- Apply brute-force detection: count repeated auth failures against VNC endpoints, use rate-limiting, and integrate with PAM/AD lockout policies to block credential-guessing attempts.
Tactics:
Lateral Movement
Platforms:
Linux, Windows, macOS
Data Sources:
Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation, Process: Process Creation
Relationship Citations:
(Citation: Palo Alto Latrodectus Activity June 2024),(Citation: Trickbot VNC module July 2021),(Citation: Talos ZxShell Oct 2014),(Citation: CISA AA20-259A Iran-Based Actor September 2020),(Citation: Symantec Shuckworm January 2022),(Citation: Bitdefender Trickbot VNC module Whitepaper 2021),(Citation: CrowdStrike Carbon Spider August 2021),(Citation: Check Point Warzone Feb 2020),(Citation: Prevx Carberp March 2011),(Citation: Securelist GCMAN),(Citation: ClearSky Siamesekitten August 2021),(Citation: objsee mac malware 2017),(Citation: Unit 42 Gamaredon February 2022),(Citation: Microsoft Actinium February 2022),