Suspicious UltraVNC Execution

 1title: Suspicious UltraVNC Execution
 2id: 871b9555-69ca-4993-99d3-35a59f9f3599
 3status: test
 4description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
 5references:
 6    - https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf
 7    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine
 8    - https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution
 9    - https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html
10author: Bhabesh Raj
11date: 2022/03/04
12modified: 2022/03/09
13tags:
14    - attack.lateral_movement
15    - attack.g0047
16    - attack.t1021.005
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        CommandLine|contains|all:
23            - '-autoreconnect '
24            - '-connect '
25            - '-id:'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

• Wayback Machine

  

  Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sa...

  
  Read More

• Shuckworm Continues Cyber-Espionage Attacks Against Ukraine

  

  Symantec investigation uncovers selection of files used in ongoing attacks.

  
  Read More

• The Gamaredon Group Toolset Evolution

  

  Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.

  
  Read More

• Commandline Parameters - UltraVNC VNC OFFICIAL SITE, Remote Desktop Free Opensource

  VNC remote desktop support software for remote PC control. Free. Anydesk , teamviewer alternative

  
  Read More

Related rules

• Terminal Service Process Spawn
• T1047 Wmiprvse Wbemcomn DLL Hijack
• HackTool - Potential Impacket Lateral Movement Activity
• RDP Port Forwarding Rule Added Via Netsh.EXE
• HackTool - WinRM Access Via Evil-WinRM