Detection of VNC service or executable starting unexpectedly, followed by user session creation and interactive desktop activity (mouse/keyboard simulation).
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 |
| Network Traffic Flow (DC0078) | NSM:Flow | port 5900 inbound |
| Field | Description |
|---|---|
| TimeWindow | Correlate VNC process with user logon activity within defined time span |
| VNCBinaryList | Trackable VNC executable names (e.g., vncserver.exe, winvnc.exe) |
| LogonType | Limit detection to interactive logons (type 10) |
Spawning of VNC-related processes (e.g., x11vnc, vncserver) coupled with authentication logs and port listening behavior on TCP 5900.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:EXECVE | None |
| Logon Session Metadata (DC0088) | linux:syslog | None |
| Network Traffic Flow (DC0078) | NSM:Flow | TCP port 5900 open |
| Field | Description |
|---|---|
| ListeningPort | Default VNC port (5900) but may vary in config |
| ProcessNameFilter | Filter specific VNC binaries in process execution logs |
| UserContext | Scope detection to non-service or high-privilege accounts |
Detection of VNC-based remote control via screensharingd activity in Unified Logs along with concurrent remote login activity or suspicious user interaction.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | macos:unifiedlog | authentication |
| Process Creation (DC0032) | macos:osquery | process_events |
| Network Traffic Flow (DC0078) | NSM:firewall | inbound connection to port 5900 |
| Field | Description |
|---|---|
| AuthenticationPredicate | Unified log predicate to refine suspicious screensharing access |
| TimeWindow | Time between VNC connection and follow-on activity (e.g., 30s) |
| UserActivitySpike | Mouse/keyboard interaction spike immediately post-VNC login |