Steal VNC credential

Hunt Hypothesis

The hypothesis is that an adversary is attempting to exfiltrate VNC credentials from a target system to gain remote access and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement and unauthorized access attempts early.

YARA Rule

rule cred_vnc {
    meta:
        author = "x0r"
        description = "Steal VNC credential"
	version = "0.1"
    strings:
        $s1 = "VNCPassView"
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled VNC Credential Backup by IT Admin
  Description: An IT administrator uses a script (e.g., vncpasswd or vncviewer) to securely back up VNC credentials as part of a regular maintenance task.
  Filter/Exclusion: Check for presence of vncpasswd in the command line and filter by user root or it-admin with a scheduled job identifier (e.g., crontab entry with @daily or @weekly).

• Scenario: Remote Desktop Protocol (RDP) Session Initiation
  Description: A legitimate RDP session is initiated using a VNC client (e.g., TightVNC or UltraVNC) as part of remote support or access.
  Filter/Exclusion: Filter by source IP addresses known to be internal or trusted, and exclude commands containing vncviewer or vncconnect when used with RDP-related ports (e.g., port 3389).

• Scenario: VNC Server Configuration Update
  Description: A system administrator updates the VNC server configuration file (e.g., /etc/tigervnc/vncserver.users) to add or modify user credentials.
  Filter/Exclusion: Exclude processes related to vncserver or vncconfig that are initiated by root or sudo and involve file modifications to known configuration directories.

• Scenario: Automated VNC Credential Rotation via Ansible
  Description: A DevOps team uses Ansible to automate the rotation of VNC credentials across multiple servers as part of a security policy.
  Filter/Exclusion: Filter for Ansible-related processes (e.g., ansible-playbook) and exclude commands that modify files in /etc/vnc/ or /home/vncuser/ with