DET0178 Behavioral Detection of Unauthorized VNC Remote Control Sessions
| Item |
Value |
| ID |
DET0178 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1021.005 (VNC)
Analytics
Windows
AN0504
Detection of VNC service or executable starting unexpectedly, followed by user session creation and interactive desktop activity (mouse/keyboard simulation).
Log Sources
Mutable Elements
| Field |
Description |
| TimeWindow |
Correlate VNC process with user logon activity within defined time span |
| VNCBinaryList |
Trackable VNC executable names (e.g., vncserver.exe, winvnc.exe) |
| LogonType |
Limit detection to interactive logons (type 10) |
Linux
AN0505
Spawning of VNC-related processes (e.g., x11vnc, vncserver) coupled with authentication logs and port listening behavior on TCP 5900.
Log Sources
Mutable Elements
| Field |
Description |
| ListeningPort |
Default VNC port (5900) but may vary in config |
| ProcessNameFilter |
Filter specific VNC binaries in process execution logs |
| UserContext |
Scope detection to non-service or high-privilege accounts |
macOS
AN0506
Detection of VNC-based remote control via screensharingd activity in Unified Logs along with concurrent remote login activity or suspicious user interaction.
Log Sources
Mutable Elements
| Field |
Description |
| AuthenticationPredicate |
Unified log predicate to refine suspicious screensharing access |
| TimeWindow |
Time between VNC connection and follow-on activity (e.g., 30s) |
| UserActivitySpike |
Mouse/keyboard interaction spike immediately post-VNC login |