Remote Services: VNC

Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB ("remote framebuffer") protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.[1]

VNC differs from Remote Desktop Protocol as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.[2][3]

Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.[4][5][6][7][8][9]

ID: T1021.005
Sub-technique of:  T1021
Platforms: Linux, Windows, macOS
System Requirements: VNC server installed and listening for connections.
CAPEC ID: CAPEC-555
Version: 1.1
Created: 11 February 2020
Last Modified: 07 October 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
S0484 Carberp

Carberp can start a remote VNC session by downloading a new plugin.[10]

G0046 FIN7

FIN7 has used TightVNC to control compromised hosts.[11]

G0117 Fox Kitten

Fox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement.[12]

G0036 GCMAN

GCMAN uses VNC for lateral movement.[13]

S0279 Proton

Proton uses VNC to connect into systems.[14]

S0266 TrickBot

TrickBot has used a VNC module to monitor the victim and collect information to pivot to valuable systems on the network [15][16]

S0412 ZxShell

ZxShell supports functionality for VNC sessions.[17]

Mitigations

ID Mitigation Description
M1047 Audit

Inventory workstations for unauthorized VNC server software.

M1042 Disable or Remove Feature or Program

Uninstall any VNC server software where not required.

M1037 Filter Network Traffic

VNC defaults to TCP ports 5900 for the server, 5800 for browser access, and 5500 for a viewer in listening mode. Filtering or blocking these ports will inhibit VNC traffic utilizing default ports.

M1033 Limit Software Installation

Restrict software installation to user groups that require it. A VNC server must be manually installed by the user or adversary.

Detection

ID Data Source Data Component
DS0028 Logon Session Logon Session Creation
DS0029 Network Traffic Network Connection Creation
DS0009 Process Process Creation

Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.

On macOS systems log show --predicate 'process = "screensharingd" and eventMessage contains "Authentication:"' can be used to review incoming VNC connection attempts for suspicious activity.[18]

Monitor for use of built-in debugging environment variables (such as those containing credentials or other sensitive information) as well as test/default users on VNC servers, as these can leave openings for adversaries to abuse.[19][20]

References