title: VNC (T1021.005)
id: df00tech-t1021-005
status: experimental
description: "Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). VNC uses the Remote Framebuffer (RFB) protocol to relay screen, mouse, and keyboard inputs over the network. Unlike RDP, VNC provides screen-sharing rather than resource-sharing, making it useful for interactive control. Threat actors including Gamaredon Group, FIN7, and APT groups have used VNC tools including UltraVNC, TightVNC, TigerVNC, and RealVNC for lateral movement and remote access. VNC communicates on TCP port 5900+ by default and can be used with or without password authentication, with some implementations historically vulnerable to authentication bypasses."
references:
  - https://attack.mitre.org/techniques/T1021/005/
  - https://df00tech.com/detections/T1021.005
author: df00tech
date: 2026/04/13
tags:
  - attack.t1021.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT help desk staff using VNC for legitimate end-user support sessions
  - System administrators using VNC to manage servers without RDP (especially Linux systems with desktop environments)
  - Vendor remote support solutions running VNC as a managed remote access tool
  - Development environments with VNC used to access headless Linux servers with GUI applications
  - Industrial control system (ICS) environments using VNC for HMI access to SCADA systems
level: high