Use of UltraVNC Remote Access Software
An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
Sigma rule (View on GitHub)
1title: Use of UltraVNC Remote Access Software
2id: 145322e4-0fd3-486b-81ca-9addc75736d8
3status: test
4description: An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md
7author: frack113
8date: 2022-10-02
9tags:
10 - attack.command-and-control
11 - attack.t1219.002
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - Description: VNCViewer
18 - Product: UltraVNC VNCViewer
19 - Company: UltraVNC
20 - OriginalFileName: VNCViewer.exe
21 condition: selection
22falsepositives:
23 - Legitimate use
24level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Antivirus Exploitation Framework Detection
- Anydesk Temporary Artefact
- Atera Agent Installation
- DNS Query To AzureWebsites.NET By Non-Browser Process
- DNS Query To Remote Access Software Domain From Non-Browser App