Remote Administration toolkit VNC

Hunt Hypothesis

The detection identifies potential use of a Remote Administration Toolkit (RAT) leveraging VNC protocol for unauthorized remote access. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage adversary activity that could lead to persistent access within Azure Sentinel.

YARA Rule

rule rat_vnc {
    meta:
        author = "x0r"
        description = "Remote Administration toolkit VNC"
	version = "0.1"
    strings:
        $f1 = "ultravnc.ini" nocase
        $c2 = "StartVNC"
        $c3 = "StopVNC"
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System Administrator Using VNC for Remote Desktop Access
  Description: A system administrator is using a legitimate VNC tool like TightVNC or RealVNC to remotely manage a server.
  Filter/Exclusion: Exclude connections originating from known admin IP ranges or user agents associated with legitimate remote access tools.

• Scenario: Scheduled Job Using VNC for Automation
  Description: A scheduled job uses UltraVNC to remotely execute scripts or maintenance tasks on a target machine.
  Filter/Exclusion: Exclude processes initiated by known system services or scheduled tasks with specific command-line arguments.

• Scenario: Internal Network Monitoring with VNC
  Description: A security team uses TightVNC to monitor internal network devices or servers for troubleshooting.
  Filter/Exclusion: Exclude connections between internal IP ranges or those initiated by security tools like Wireshark or Splunk.

• Scenario: Remote Support via VNC by IT Helpdesk
  Description: An IT helpdesk technician uses RealVNC to provide remote support to end-users.
  Filter/Exclusion: Exclude connections from known helpdesk IP ranges or those associated with user accounts in the IT support group.

• Scenario: VNC Used for Legacy Application Access
  Description: A legacy application requires VNC access via UltraVNC to interface with older systems or custom GUI tools.
  Filter/Exclusion: Exclude processes that match known legacy application service names or those running under specific user contexts.