A SOC team should proactively hunt for the use of TightVNC in creating processes as it may indicate an adversary leveraging a remote management tool for persistence or command and control. This behavior aligns with T1219 and is a common tactic used by attackers to maintain access and exfiltrate data within an Azure Sentinel environment.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'GlavSoft'
and ProcessVersionInfoProductName has 'TightVNC'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 0170143d-c5b9-49c2-ad03-be86564a7855
name: Remote Management and Monitoring tool - TightVNC - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'GlavSoft'
and ProcessVersionInfoProductName has 'TightVNC'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: IT admin uses TightVNC to remotely manage a server during a scheduled maintenance window.
Filter/Exclusion: Check for process.parent_process_name containing “Task Scheduler” or “schtasks.exe” and ensure the process is initiated by a known admin account.
Scenario: A legitimate scheduled job runs TightVNC to monitor system performance and generate reports.
Filter/Exclusion: Filter by process.command_line containing specific report generation arguments or check for process.parent_process_name matching “SQL Server Agent” or “sqlagent.exe”.
Scenario: An administrator uses TightVNC to perform a remote desktop session to troubleshoot a user’s workstation.
Filter/Exclusion: Use process.user to filter for known admin accounts and check for process.parent_process_name containing “Remote Desktop Services” or “mstsc.exe”.
Scenario: A system update or patching tool initiates TightVNC to monitor system state during an automated update process.
Filter/Exclusion: Filter by process.parent_process_name containing “Windows Update” or “wusa.exe” and check for process.command_line with update-related arguments.
Scenario: A third-party RMM tool (e.g., Kaseya, ConnectWise) uses TightVNC as part of its remote management capabilities.
Filter/Exclusion: Use process.parent_process_name containing the name of the RMM tool (e.g., “KaseyaAgent.exe”) and verify the process is associated with a known RMM service account.