T1021.005 Elastic Security · Elastic

Detect VNC in Elastic Security

Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). VNC uses the Remote Framebuffer (RFB) protocol to relay screen, mouse, and keyboard inputs over the network. Unlike RDP, VNC provides screen-sharing rather than resource-sharing, making it useful for interactive control. Threat actors including Gamaredon Group, FIN7, and APT groups have used VNC tools including UltraVNC, TightVNC, TigerVNC, and RealVNC for lateral movement and remote access. VNC communicates on TCP port 5900+ by default and can be used with or without password authentication, with some implementations historically vulnerable to authentication bypasses.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Sub-technique
T1021.005 VNC
Canonical reference
https://attack.mitre.org/techniques/T1021/005/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    event.category == "process" and event.type == "start" and
    process.name in~ ("vncserver.exe", "vncviewer.exe", "vncconfig.exe",
      "vnc4server", "x0vncserver", "tightvncserver", "tightvncviewer.exe",
      "ultravnc.exe", "uvnc_service.exe", "tvnserver.exe", "tvnviewer.exe",
      "winvnc.exe", "winvnc4.exe", "rfbdrv.exe")
  ) or
  (
    event.category == "process" and event.type == "start" and
    process.parent.name in~ ("vncserver.exe", "tvnserver.exe", "winvnc.exe",
      "uvnc_service.exe", "ultravnc.exe")
  ) or
  (
    event.category == "network" and event.type == "start" and
    network.transport == "tcp" and
    destination.port >= 5900 and destination.port <= 5910
  ) or
  (
    event.category == "registry" and
    event.type in ("creation", "change") and
    registry.path like~ ("*RealVNC*", "*TightVNC*", "*UltraVNC*", "*TigerVNC*", "*WinVNC*", "*RFBDRV*")
  ) or
  (
    event.category == "registry" and
    event.type in ("creation", "change") and
    registry.value like~ ("*vncserver*", "*tvnserver*", "*winvnc*", "*uvnc*")
  )
high severity high confidence

Detects VNC-related activity across process execution, network connections on TCP ports 5900-5910, and registry key creation/modification using Elastic Common Schema fields. Covers parent process spawning, VNC service binary execution, and registry persistence for known VNC implementations including RealVNC, TightVNC, UltraVNC, TigerVNC, and WinVNC.

Data Sources

Elastic Endpoint Security agent (process, network, registry events)Winlogbeat with Sysmon moduleAuditbeat (Linux process and network auditing)

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.network-*logs-endpoint.events.registry-*winlogbeat-*auditbeat-*

False Positives & Tuning

  • IT helpdesk and sysadmin teams using authorised VNC-based remote support tools (e.g., RealVNC Viewer for managed endpoint administration with documented approval and known source IPs)
  • Automated UI testing pipelines in CI/CD environments running headless VNC servers (e.g., Xvnc, x11vnc) for browser or desktop application testing on Linux build agents
  • Vulnerability scanners and asset inventory tools (e.g., Nessus, Rapid7 InsightVM, Shodan internal crawlers) generating TCP connection attempts to port 5900 during scheduled service discovery scans
Download portable Sigma rule (.yml)

Other platforms for T1021.005

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Install TightVNC Server as Windows Service

    Expected signal: Sysmon Event ID 1: tvnserver.exe with -install flag. Windows Security Event ID 7045: new service tvnservice created. Registry key created at HKLM\SOFTWARE\TightVNC. Sysmon Event ID 12 (registry key create) for TightVNC registry entries.

  2. Test 2VNC Connection to Remote Host via vncviewer

    Expected signal: Sysmon Event ID 1: tvnviewer.exe process creation with target IP. Sysmon Event ID 3: outbound TCP connection to 127.0.0.1:5900. Windows firewall log entry for port 5900 connection.

  3. Test 3Configure UltraVNC with No Authentication (Backdoor Setup)

    Expected signal: Sysmon Event ID 13 (Registry Value Set) for HKLM\SOFTWARE\UltraVNC\Password and SecurityIdentifier. Security Event ID 4657 (registry value modified). Parent process visible as cmd.exe.

  4. Test 4Start VNC Server on Non-Standard Port

    Expected signal: Linux auditd EXECVE for vncserver with -rfbport 5901 and -SecurityTypes None. Network socket opened on port 5901. Process creation for Xvnc child process.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1021.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.003Distributed Component Object ModelT1021.004SSHT1021.006Windows Remote ManagementT1021.007Cloud ServicesT1021.008Direct Cloud VM Connections

Related Techniques

T1021Remote ServicesT1021.001Remote Desktop ProtocolT1078Valid AccountsT1543.003Windows ServiceT1571Non-Standard PortT1219Remote Access ToolsT1059.001PowerShellT1105Ingress Tool Transfer

Same Tactic: Lateral Movement

Popular Detections