Remote Services: VNC
Other sub-techniques of Remote Services (6)
Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). The adversary may then perform actions as the logged-on user.
VNC is a desktop sharing system that allows users to remotely control another computer’s display by relaying mouse and keyboard inputs over the network. VNC does not necessarily use standard user credentials. Instead, a VNC client and server may be configured with sets of credentials that are used only for VNC connections.
Procedure Examples
Name | Description |
---|---|
Carberp |
Carberp can start a remote VNC session by downloading a new plugin.[1] |
GCMAN | |
Proton | |
ZxShell |
Mitigations
Mitigation | Description |
---|---|
Audit |
Inventory workstations for unauthorized VNC server software. |
Disable or Remove Feature or Program |
Uninstall any VNC server software where not required. |
Filter Network Traffic |
VNC defaults to TCP ports 5900 for the server, 5800 for browser access, and 5500 for a viewer in listening mode. Filtering or blocking these ports will inhibit VNC traffic utilizing default ports. |
Limit Software Installation |
Restrict software installation to user groups that require it. A VNC server must be manually installed by the user or adversary. |
Detection
Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with VNC.