Skip to content

T1021.005 VNC

Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.1

VNC differs from Remote Desktop Protocol as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system’s authentication, but it can be configured to use credentials specific to VNC.23

Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.456789

Item Value
ID T1021.005
Sub-techniques T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006
Tactics TA0008
CAPEC ID CAPEC-555
Platforms Linux, Windows, macOS
Version 1.1
Created 11 February 2020
Last Modified 07 October 2021

Procedure Examples

ID Name Description
S0484 Carberp Carberp can start a remote VNC session by downloading a new plugin.16
G0046 FIN7 FIN7 has used TightVNC to control compromised hosts.23
G0117 Fox Kitten Fox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement.19
G0047 Gamaredon Group Gamaredon Group has used VNC tools, including UltraVNC, to remotely interact with compromised hosts.212022
G0036 GCMAN GCMAN uses VNC for lateral movement.24
S0279 Proton Proton uses VNC to connect into systems.14
S0266 TrickBot TrickBot has used a VNC module to monitor the victim and collect information to pivot to valuable systems on the network 1718
S0670 WarzoneRAT WarzoneRAT has the ability of performing remote desktop access via a VNC console.13
S0412 ZxShell ZxShell supports functionality for VNC sessions.15

Mitigations

ID Mitigation Description
M1047 Audit Inventory workstations for unauthorized VNC server software.
M1042 Disable or Remove Feature or Program Uninstall any VNC server software where not required.
M1037 Filter Network Traffic VNC defaults to TCP ports 5900 for the server, 5800 for browser access, and 5500 for a viewer in listening mode. Filtering or blocking these ports will inhibit VNC traffic utilizing default ports.
M1033 Limit Software Installation Restrict software installation to user groups that require it. A VNC server must be manually installed by the user or adversary.

Detection

ID Data Source Data Component
DS0028 Logon Session Logon Session Creation
DS0029 Network Traffic Network Connection Creation
DS0009 Process Process Creation

References

  1. T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote Framebuffer Protocol. Retrieved September 20, 2021. 

  2. Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021. 

  3. Tegan. (2019, August 15). Setting up System Authentication. Retrieved September 20, 2021. 

  4. Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute, Access and Crack). Retrieved September 20, 2021. 

  5. Nick Miles. (2017, November 30). Detecting macOS High Sierra root account without authentication. Retrieved September 20, 2021. 

  6. Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions. Retrieved September 20, 2021. 

  7. Offensive Security. (n.d.). VNC Authentication. Retrieved October 6, 2021. 

  8. Administrator, Penetration Testing Lab. (2012, October 30). Attacking VNC Servers. Retrieved October 6, 2021. 

  9. Jay Pipes. (2013, December 23). Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021. 

  10. Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021. 

  11. Pascal Nowack. (n.d.). Retrieved September 21, 2021. 

  12. Pascal Nowack. (n.d.). Retrieved September 21, 2021. 

  13. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  14. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. 

  15. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  16. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020. 

  17. Ionut Illascu. (2021, July 14). Trickbot updates its VNC module for high-value targets. Retrieved September 10, 2021. 

  18. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021. 

  19. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. 

  20. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  21. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. 

  22. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. 

  23. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  24. Kaspersky Lab’s Global Research & Analysis Team. (2016, February 8). APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks. Retrieved April 20, 2016. 

Back to top