Description
Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
VNC differs from Remote Desktop Protocol as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)
Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)
Network Pentesting Methodology
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (4)
Disable or Remove Feature or ProgramM1042
Uninstall any VNC server software where not required.
Filter Network TrafficM1037
VNC defaults to TCP ports 5900 for the server, 5800 for browser access, and 5500 for a viewer in listening mode. Filtering or blocking these ports will inhibit VNC traffic utilizing default ports.
AuditM1047
Inventory workstations for unauthorized VNC server software.
Limit Software InstallationM1033
Restrict software installation to user groups that require it. A VNC server must be manually installed by the user or adversary.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used VNC tools, including UltraVNC, to remotely interact with compromised hosts.(Citation... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used TightVNC to control compromised hosts.(Citation: CrowdStrike Carbon Spider August 2021) |
| G0036 | GCMAN | [GCMAN](https://attack.mitre.org/groups/G0036) uses VNC for lateral movement.(Citation: Securelist GCMAN) |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has installed TightVNC server and client on compromised servers and endpoints for lateral movement... |
Associated Software (7)
| ID | Name | Type | Context |
|---|---|---|---|
| S0412 | ZxShell | Malware | [ZxShell](https://attack.mitre.org/software/S0412) supports functionality for VNC sessions.(Citation: Talos ZxShell Oct 2014) |
| S1014 | DanBot | Malware | [DanBot](https://attack.mitre.org/software/S1014) can use VNC for remote access to targeted systems.(Citation: ClearSky Siamesekitten August 2021) |
| S0484 | Carberp | Malware | [Carberp](https://attack.mitre.org/software/S0484) can start a remote VNC session by downloading a new plugin.(Citation: Prevx Carberp March 2011) |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) has used a VNC module to monitor the victim and collect information to pivot to valuable systems o... |
| S0279 | Proton | Malware | [Proton](https://attack.mitre.org/software/S0279) uses VNC to connect into systems.(Citation: objsee mac malware 2017) |
| S0670 | WarzoneRAT | Malware | [WarzoneRAT](https://attack.mitre.org/software/S0670) has the ability of performing remote desktop access via a VNC console.(Citation: Check Point War... |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) has routed C2 traffic using Keyhole VNC.(Citation: Palo Alto Latrodectus Activity June 2024) |
References
- Administrator, Penetration Testing Lab. (2012, October 30). Attacking VNC Servers. Retrieved October 6, 2021.
- Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021.
- Jay Pipes. (2013, December 23). Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!. Retrieved September 12, 2024.
- Nick Miles. (2017, November 30). Detecting macOS High Sierra root account without authentication. Retrieved September 20, 2021.
- Offensive Security. (n.d.). VNC Authentication. Retrieved October 6, 2021.
- Pascal Nowack. (n.d.). Retrieved September 21, 2021.
- Pascal Nowack. (n.d.). Retrieved September 21, 2021.
- Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.
- Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions. Retrieved September 20, 2021.
- T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote Framebuffer Protocol. Retrieved September 20, 2021.
Frequently Asked Questions
What is T1021.005 (VNC)?
T1021.005 is a MITRE ATT&CK technique named 'VNC'. It belongs to the Lateral Movement tactic(s). Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing syste...
How can T1021.005 be detected?
Detection of T1021.005 (VNC) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1021.005?
There are 4 documented mitigations for T1021.005. Key mitigations include: Disable or Remove Feature or Program, Filter Network Traffic, Audit, Limit Software Installation.
Which threat groups use T1021.005?
Known threat groups using T1021.005 include: Gamaredon Group, FIN7, GCMAN, Fox Kitten.