T1021.005

VNC

Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). VNC uses the Remote Framebuffer (RFB) protocol to relay screen, mouse, and keyboard inputs over the network. Unlike RDP, VNC provides screen-sharing rather than resource-sharing, making it useful for interactive control. Threat actors including Gamaredon Group, FIN7, and APT groups have used VNC tools including UltraVNC, TightVNC, TigerVNC, and RealVNC for lateral movement and remote access. VNC communicates on TCP port 5900+ by default and can be used with or without password authentication, with some implementations historically vulnerable to authentication bypasses.

Microsoft Sentinel / Defender

kusto

// Detect VNC-related process execution and network connections
let VncProcesses = dynamic(["vncserver", "vncviewer", "vncconfig", "vnc4server", "x0vncserver",
  "tightvncserver", "tightvncviewer", "ultravnc", "uvnc", "tvnserver", "tvnviewer",
  "winvnc", "winvnc4", "rfbdrv"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (VncProcesses) or InitiatingProcessFileName has_any (VncProcesses)
| extend IsVncServer = FileName has_any ("vncserver", "vnc4server", "tightvnc", "winvnc")
| extend IsVncClient = FileName has_any ("vncviewer", "tightvncviewer")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, IsVncServer, IsVncClient
| union (
    // Detect VNC network connections (default port range 5900-5910)
    DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where RemotePort between (5900 .. 5910) or LocalPort between (5900 .. 5910)
    | where ActionType in ("ConnectionSuccess", "ConnectionFound", "InboundConnectionAccepted")
    | project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, LocalPort, ActionType
)
| union (
    // Detect VNC installation or service registration
    DeviceRegistryEvents
    | where Timestamp > ago(24h)
    | where RegistryKey has_any ("VNC", "RealVNC", "TightVNC", "UltraVNC", "TigerVNC")
    | project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
)
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Windows Registry: Windows Registry Key Modification

Required Tables

DeviceProcessEvents DeviceNetworkEvents DeviceRegistryEvents

False Positives

IT help desk staff using VNC for legitimate end-user support sessions
System administrators using VNC to manage servers without RDP (especially Linux systems with desktop environments)
Vendor remote support solutions running VNC as a managed remote access tool
Development environments with VNC used to access headless Linux servers with GUI applications
Industrial control system (ICS) environments using VNC for HMI access to SCADA systems

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and
    process.name in~ ("vncserver.exe", "vncviewer.exe", "vncconfig.exe",
      "vnc4server", "x0vncserver", "tightvncserver", "tightvncviewer.exe",
      "ultravnc.exe", "uvnc_service.exe", "tvnserver.exe", "tvnviewer.exe",
      "winvnc.exe", "winvnc4.exe", "rfbdrv.exe")
  ) or
  (
    event.category == "process" and event.type == "start" and
    process.parent.name in~ ("vncserver.exe", "tvnserver.exe", "winvnc.exe",
      "uvnc_service.exe", "ultravnc.exe")
  ) or
  (
    event.category == "network" and event.type == "start" and
    network.transport == "tcp" and
    destination.port >= 5900 and destination.port <= 5910
  ) or
  (
    event.category == "registry" and
    event.type in ("creation", "change") and
    registry.path like~ ("*RealVNC*", "*TightVNC*", "*UltraVNC*", "*TigerVNC*", "*WinVNC*", "*RFBDRV*")
  ) or
  (
    event.category == "registry" and
    event.type in ("creation", "change") and
    registry.value like~ ("*vncserver*", "*tvnserver*", "*winvnc*", "*uvnc*")
  )

high severity high confidence

Data Sources

Elastic Endpoint Security agent (process, network, registry events) Winlogbeat with Sysmon module Auditbeat (Linux process and network auditing)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.registry-* winlogbeat-* auditbeat-*

False Positives

IT helpdesk and sysadmin teams using authorised VNC-based remote support tools (e.g., RealVNC Viewer for managed endpoint administration with documented approval and known source IPs)
Automated UI testing pipelines in CI/CD environments running headless VNC servers (e.g., Xvnc, x11vnc) for browser or desktop application testing on Linux build agents
Vulnerability scanners and asset inventory tools (e.g., Nessus, Rapid7 InsightVM, Shodan internal crawlers) generating TCP connection attempts to port 5900 during scheduled service discovery scans

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  sourceip AS source_ip,
  destinationip AS destination_ip,
  destinationport AS destination_port,
  username AS user_name,
  eventid AS event_id,
  "Process Name" AS process_name,
  "Parent Process Name" AS parent_process,
  "Command Line" AS command_line,
  "Service Name" AS service_name,
  "Service File Name" AS service_binary,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(highlevelcategory) AS high_category,
  CASE
    WHEN eventid = 1 THEN 'VNC_ProcessExecution'
    WHEN eventid = 3 THEN 'VNC_NetworkConnection'
    WHEN eventid IN (7045, 4697) THEN 'VNC_ServiceInstall'
    ELSE 'VNC_UnknownCategory'
  END AS alert_type
FROM events
WHERE
  devicetime > NOW() - 86400000
  AND (
    (
      eventid = 1
      AND (
        "Process Name" ILIKE '%vncserver%'
        OR "Process Name" ILIKE '%vncviewer%'
        OR "Process Name" ILIKE '%tvnserver%'
        OR "Process Name" ILIKE '%tvnviewer%'
        OR "Process Name" ILIKE '%winvnc%'
        OR "Process Name" ILIKE '%winvnc4%'
        OR "Process Name" ILIKE '%ultravnc%'
        OR "Process Name" ILIKE '%uvnc_service%'
        OR "Process Name" ILIKE '%rfbdrv%'
        OR "Process Name" ILIKE '%x0vncserver%'
      )
    )
    OR (
      eventid = 3
      AND destinationport BETWEEN 5900 AND 5910
    )
    OR (
      eventid IN (7045, 4697)
      AND (
        "Service Name" ILIKE '%vnc%'
        OR "Service Name" ILIKE '%rfbdrv%'
        OR "Service Name" ILIKE '%uvnc%'
        OR "Service File Name" ILIKE '%vnc%'
        OR "Service File Name" ILIKE '%uvnc%'
      )
    )
  )
ORDER BY devicetime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Microsoft Windows Sysmon (via WinCollect or Universal DSM) Microsoft Windows Security Event Log Microsoft Windows System Event Log

Required Tables

events

False Positives

Authorised remote desktop support tools built on VNC technology or using RFB protocol (e.g., some versions of DameWare, certain RMM platforms) that match on service name or destination port without being standalone VNC software
Security operations teams conducting authorised vulnerability assessments that probe TCP port 5900 across internal subnets during scheduled scanning windows — correlate with change management records
Development and QA workstations running local VNC servers to access virtual machines or headless Linux build systems — should appear with localhost or RFC-1918 destination IPs from known developer subnets

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
(EventID=1 OR EventID=3 OR EventID=7045 OR EventID=4697)
| kvform nodrop
| where (
    (
      EventID = "1"
      AND (
        Image matches "*\\vncserver.exe" OR Image matches "*\\vncviewer.exe"
        OR Image matches "*\\tvnserver.exe" OR Image matches "*\\tvnviewer.exe"
        OR Image matches "*\\winvnc.exe" OR Image matches "*\\winvnc4.exe"
        OR Image matches "*\\uvnc_service.exe" OR Image matches "*\\ultravnc.exe"
        OR Image matches "*\\rfbdrv.exe" OR Image matches "*\\x0vncserver*"
      )
    )
    OR (
      EventID = "3"
      AND toInt(DestinationPort) >= 5900
      AND toInt(DestinationPort) <= 5910
    )
    OR (
      EventID in ("7045", "4697")
      AND (
        toLowerCase(ServiceName) matches "*vnc*"
        OR toLowerCase(ServiceName) matches "*rfbdrv*"
        OR toLowerCase(ServiceName) matches "*uvnc*"
      )
    )
  )
| eval AlertType = if(EventID = "1", "VNC_ProcessExecution",
    if(EventID = "3", "VNC_NetworkConnection", "VNC_ServiceInstall"))
| eval IsVncServer = if(Image matches "*\\vncserver*" OR Image matches "*\\tvnserver*"
    OR Image matches "*\\winvnc*" OR Image matches "*\\uvnc_service*", "true", "false")
| eval IsVncClient = if(Image matches "*\\vncviewer*" OR Image matches "*\\tvnviewer*", "true", "false")
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage,
    DestinationIp, DestinationPort, ServiceName, ServiceFileName, AlertType, IsVncServer, IsVncClient
| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic Installed Collector (sourceCategory=*sysmon*) Windows Event Log via Sumo Logic Installed Collector (sourceCategory=*windows*) Endpoint security agents forwarding to Sumo Logic

Required Tables

Windows/Sysmon log partition (sourceCategory-based routing) sec_record_endpoint (if using Sumo Logic Cloud SIEM normalized records)

False Positives

Legitimate IT remote support operations using VNC-based tools approved by the organisation (e.g., managed service providers with authorised RMM stacks that include VNC components) — correlate with a known-good asset allowlist
Virtual machine hypervisor management consoles (e.g., QEMU/KVM virt-manager, Proxmox noVNC) communicating on VNC ports exclusively on internal RFC-1918 addresses with well-known source processes
Network monitoring and asset management platforms (e.g., Nessus, Qualys, Rapid7) generating TCP connection events to port 5900 during discovery scans — identify by scanner source IP exclusion lists

Google Chronicle / SecOps

yaral

rule detect_vnc_remote_access_t1021_005 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects VNC process execution, TCP connections on ports 5900-5910, and VNC registry key creation — MITRE ATT&CK T1021.005 (Remote Services: VNC)"
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1021.005"
    severity = "HIGH"
    priority = "HIGH"
    created = "2024-01-01"
    version = "1.0"

  events:
    (
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path,
          `(?i)(vncserver|vncviewer|vncconfig|vnc4server|x0vncserver|tightvncserver|tightvncviewer|ultravnc|uvnc_service|tvnserver|tvnviewer|winvnc|winvnc4|rfbdrv)\.exe`)
      )
      or
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.principal.process.file.full_path,
          `(?i)(vncserver|vncviewer|uvnc_service|tvnserver|winvnc|rfbdrv)\.exe`)
      )
      or
      (
        $e.metadata.event_type = "NETWORK_CONNECTION"
        and $e.target.port >= 5900
        and $e.target.port <= 5910
        and $e.network.ip_protocol = "TCP"
      )
      or
      (
        $e.metadata.event_type = "REGISTRY_CREATION"
        and re.regex($e.target.registry.registry_key,
          `(?i)(RealVNC|TightVNC|UltraVNC|TigerVNC|WinVNC|RFBDRV)`)
      )
      or
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION"
        and re.regex($e.target.registry.registry_key,
          `(?i)(RealVNC|TightVNC|UltraVNC|TigerVNC|WinVNC|RFBDRV)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) event stream Windows endpoint telemetry forwarded via Chronicle forwarder or Bindplane EDR solutions (CrowdStrike, Carbon Black, SentinelOne) ingested into Chronicle via partner parsers

Required Tables

UDM Events — event_type: PROCESS_LAUNCH UDM Events — event_type: NETWORK_CONNECTION UDM Events — event_type: REGISTRY_CREATION UDM Events — event_type: REGISTRY_MODIFICATION

False Positives

Authorised IT operations using RealVNC or TightVNC with a documented approval record for managed remote desktop access — add principal.hostname values for known support jump hosts to a reference list and suppress
Software deployment and provisioning pipelines (e.g., Packer, Ansible, Chef) that install VNC server components into golden AMIs or base images as part of a standard build process — expected from known CI/CD infrastructure IPs
Authorised red team or penetration testing engagements running VNC for operator access to compromised hosts — suppress based on engagement IP ranges and time windows documented in the change management system

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2|NetworkConnectIP4|NetworkConnectIP6|RegistryOperationCreate|RegistryOperationUpdate|RegGenericValueUpdate)$/
| FileName = /(?i)(vncserver|vncviewer|vncconfig|vnc4server|x0vncserver|tightvncserver|tightvncviewer|ultravnc|uvnc_service|tvnserver|tvnviewer|winvnc|winvnc4|rfbdrv)\.exe/
  OR (RemotePort >= 5900 AND RemotePort <= 5910)
  OR RegObjectName = /(?i)(RealVNC|TightVNC|UltraVNC|TigerVNC|WinVNC|RFBDRV)/
| AlertType := if(
    #event_simpleName = /ProcessRollup2|SyntheticProcessRollup2/,
    "VNC_ProcessExecution",
    if(
      #event_simpleName = /NetworkConnectIP/,
      "VNC_NetworkConnection",
      if(
        #event_simpleName = /Registry/,
        "VNC_RegistryChange",
        "VNC_Other"
      )
    )
  )
| IsVncServer := if(
    FileName = /(?i)(vncserver|tvnserver|winvnc|uvnc_service|rfbdrv)\.exe/,
    true,
    false
  )
| IsVncClient := if(
    FileName = /(?i)(vncviewer|tvnviewer)\.exe/,
    true,
    false
  )
| table(
    [_time, ComputerName, UserName, UserSid, FileName, ImageFileName,
     CommandLine, ParentProcessId, RemoteIP, RemotePort, LocalPort,
     RegObjectName, RegValueName, AlertType, IsVncServer, IsVncClient]
  )
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Insight XDR endpoint telemetry CrowdStrike Falcon ProcessRollup2 event stream CrowdStrike Falcon NetworkConnectIP4/IPv6 event stream CrowdStrike Falcon Registry event stream

Required Tables

falcon:processrollup2 falcon:syntheticprocessrollup2 falcon:networkconnectip4 falcon:networkconnectip6 falcon:registryoperationcreate falcon:registryoperationupdate

False Positives

Falcon-managed endpoints with approved VNC deployment for helpdesk support where the VNC process SHA256 hashes are added to the Falcon allowlist and RemoteIP values correspond to documented support infrastructure
DevOps and QA automation pipelines executing acceptance tests via VNC-connected virtual machines — typically identifiable by machine accounts, consistent CommandLine patterns, and connections from known CI/CD agent IPs
Network monitoring or asset discovery agents that include port 5900 in TCP service probes — identify by consistent RemotePort=5900 from a single source ComputerName with high connection volume but no matching ProcessRollup2 VNC binary events

Last updated: 2026-04-13 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1021.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop Protocol T1021.002SMB/Windows Admin Shares T1021.003Distributed Component Object Model T1021.004SSH T1021.006Windows Remote Management T1021.007Cloud Services T1021.008Direct Cloud VM Connections

VNC

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Lateral Movement

Popular Detections