Use of UltraVNC Remote Access Software
An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
Sigma rule (View on GitHub)
1title: Use of UltraVNC Remote Access Software
2id: 145322e4-0fd3-486b-81ca-9addc75736d8
3status: test
4description: An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md
7author: frack113
8date: 2022/10/02
9tags:
10 - attack.command_and_control
11 - attack.t1219
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - Description: VNCViewer
18 - Product: UltraVNC VNCViewer
19 - Company: UltraVNC
20 - OriginalFileName: VNCViewer.exe
21 condition: selection
22falsepositives:
23 - Legitimate use
24level: medium
References
Related rules
- Inveigh Execution Artefacts
- Mesh Agent Service Installation
- Suspicious Binary Writes Via AnyDesk
- Suspicious TSCON Start as SYSTEM
- TacticalRMM Service Installation