Detect VNC in IBM QRadar
Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). VNC uses the Remote Framebuffer (RFB) protocol to relay screen, mouse, and keyboard inputs over the network. Unlike RDP, VNC provides screen-sharing rather than resource-sharing, making it useful for interactive control. Threat actors including Gamaredon Group, FIN7, and APT groups have used VNC tools including UltraVNC, TightVNC, TigerVNC, and RealVNC for lateral movement and remote access. VNC communicates on TCP port 5900+ by default and can be used with or without password authentication, with some implementations historically vulnerable to authentication bypasses.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.005 VNC
- Canonical reference
- https://attack.mitre.org/techniques/T1021/005/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
LOGSOURCENAME(logsourceid) AS log_source,
LOGSOURCETYPENAME(devicetype) AS log_source_type,
sourceip AS source_ip,
destinationip AS destination_ip,
destinationport AS destination_port,
username AS user_name,
eventid AS event_id,
"Process Name" AS process_name,
"Parent Process Name" AS parent_process,
"Command Line" AS command_line,
"Service Name" AS service_name,
"Service File Name" AS service_binary,
QIDNAME(qid) AS event_name,
CATEGORYNAME(highlevelcategory) AS high_category,
CASE
WHEN eventid = 1 THEN 'VNC_ProcessExecution'
WHEN eventid = 3 THEN 'VNC_NetworkConnection'
WHEN eventid IN (7045, 4697) THEN 'VNC_ServiceInstall'
ELSE 'VNC_UnknownCategory'
END AS alert_type
FROM events
WHERE
devicetime > NOW() - 86400000
AND (
(
eventid = 1
AND (
"Process Name" ILIKE '%vncserver%'
OR "Process Name" ILIKE '%vncviewer%'
OR "Process Name" ILIKE '%tvnserver%'
OR "Process Name" ILIKE '%tvnviewer%'
OR "Process Name" ILIKE '%winvnc%'
OR "Process Name" ILIKE '%winvnc4%'
OR "Process Name" ILIKE '%ultravnc%'
OR "Process Name" ILIKE '%uvnc_service%'
OR "Process Name" ILIKE '%rfbdrv%'
OR "Process Name" ILIKE '%x0vncserver%'
)
)
OR (
eventid = 3
AND destinationport BETWEEN 5900 AND 5910
)
OR (
eventid IN (7045, 4697)
AND (
"Service Name" ILIKE '%vnc%'
OR "Service Name" ILIKE '%rfbdrv%'
OR "Service Name" ILIKE '%uvnc%'
OR "Service File Name" ILIKE '%vnc%'
OR "Service File Name" ILIKE '%uvnc%'
)
)
)
ORDER BY devicetime DESC
LAST 24 HOURSDetects VNC-related activity in IBM QRadar using Sysmon EventID 1 (process creation with VNC binary names), Sysmon EventID 3 (network connections to ports 5900-5910), and Windows Security/System EventIDs 7045 and 4697 (VNC service installation). Relies on QRadar custom event properties parsed from Windows Sysmon and Windows Event Log sources. The 'Process Name', 'Parent Process Name', 'Command Line', 'Service Name', and 'Service File Name' fields must be mapped as custom properties in the QRadar DSM configuration.
Data Sources
Required Tables
False Positives & Tuning
- Authorised remote desktop support tools built on VNC technology or using RFB protocol (e.g., some versions of DameWare, certain RMM platforms) that match on service name or destination port without being standalone VNC software
- Security operations teams conducting authorised vulnerability assessments that probe TCP port 5900 across internal subnets during scheduled scanning windows — correlate with change management records
- Development and QA workstations running local VNC servers to access virtual machines or headless Linux build systems — should appear with localhost or RFC-1918 destination IPs from known developer subnets
Other platforms for T1021.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install TightVNC Server as Windows Service
Expected signal: Sysmon Event ID 1: tvnserver.exe with -install flag. Windows Security Event ID 7045: new service tvnservice created. Registry key created at HKLM\SOFTWARE\TightVNC. Sysmon Event ID 12 (registry key create) for TightVNC registry entries.
- Test 2VNC Connection to Remote Host via vncviewer
Expected signal: Sysmon Event ID 1: tvnviewer.exe process creation with target IP. Sysmon Event ID 3: outbound TCP connection to 127.0.0.1:5900. Windows firewall log entry for port 5900 connection.
- Test 3Configure UltraVNC with No Authentication (Backdoor Setup)
Expected signal: Sysmon Event ID 13 (Registry Value Set) for HKLM\SOFTWARE\UltraVNC\Password and SecurityIdentifier. Security Event ID 4657 (registry value modified). Parent process visible as cmd.exe.
- Test 4Start VNC Server on Non-Standard Port
Expected signal: Linux auditd EXECVE for vncserver with -rfbport 5901 and -SecurityTypes None. Network socket opened on port 5901. Process creation for Xvnc child process.
References (7)
- https://attack.mitre.org/techniques/T1021/005/
- https://www.tightvnc.com/
- https://www.realvnc.com/en/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-ukraine-gamaredon
- https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting/
- https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
Unlock Pro Content
Get the full detection package for T1021.005 including response playbook, investigation guide, and atomic red team tests.