A threat hunter should investigate processes created by TigerVNC as it may indicate the use of a remote management tool for adversary persistence or command and control. Proactively hunting for this behavior in Azure Sentinel can help identify potential compromise of endpoints by adversaries leveraging legitimate RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'TigerVNC'
and ProcessVersionInfoProductName has 'TigerVNC'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: e44636e5-dcfa-4ba2-802c-db858c61ffd4
name: Remote Management and Monitoring tool - TigerVNC - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'TigerVNC'
and ProcessVersionInfoProductName has 'TigerVNC'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job for System Monitoring
Description: A legitimate scheduled job runs the TigerVNC process as part of a system monitoring tool (e.g., TigerVNC itself or an RMM tool like Kaseya or ConnectWise Control) to monitor remote systems.
Filter/Exclusion: Check for CommandLine containing --listen or --daemon flags, or filter by process name vncserver with known legitimate parent processes (e.g., systemd, cron, or task scheduler).
Scenario: Admin Task to Enable Remote Access
Description: An administrator manually starts the TigerVNC service to enable remote desktop access for troubleshooting or maintenance tasks.
Filter/Exclusion: Filter by user account (e.g., Administrator, ITSupport) or check for CommandLine containing --geometry or --shared flags indicating a legitimate configuration setup.
Scenario: Automated Patching via RMM Tool
Description: A remote management tool (e.g., Microsoft SCCM, Altiris, or Landesk) uses TigerVNC to execute scripts or patches on remote endpoints.
Filter/Exclusion: Filter by parent process (e.g., msiexec.exe, setup.exe, or taskeng.exe) or check for CommandLine containing --no-desktop or --localhost to indicate a non-interactive session.
Scenario: Virtualization or VM Management
Description: A virtualization platform (e.g., VMware vSphere, Microsoft Hyper-V) uses TigerVNC to manage virtual machines, which may trigger the rule due to process creation.
Filter/Exclusion: Filter by parent process (e.g., vmrun.exe, vmtoolsd.exe, or hypervisor) or