T1021.005 VNC Mappings

Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)

VNC differs from Remote Desktop Protocol as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)

Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1021.005 VNC
AC-02 Account Management Protects T1021.005 VNC
AC-03 Access Enforcement Protects T1021.005 VNC
AC-04 Information Flow Enforcement Protects T1021.005 VNC
AC-06 Least Privilege Protects T1021.005 VNC
CA-07 Continuous Monitoring Protects T1021.005 VNC
CA-08 Penetration Testing Protects T1021.005 VNC
CM-11 User-installed Software Protects T1021.005 VNC
CM-02 Baseline Configuration Protects T1021.005 VNC
CM-03 Configuration Change Control Protects T1021.005 VNC
CM-05 Access Restrictions for Change Protects T1021.005 VNC
CM-06 Configuration Settings Protects T1021.005 VNC
CM-07 Least Functionality Protects T1021.005 VNC
CM-08 System Component Inventory Protects T1021.005 VNC
IA-02 Identification and Authentication (organizational Users) Protects T1021.005 VNC
IA-04 Identifier Management Protects T1021.005 VNC
IA-06 Authentication Feedback Protects T1021.005 VNC
RA-05 Vulnerability Monitoring and Scanning Protects T1021.005 VNC
SC-07 Boundary Protection Protects T1021.005 VNC
SI-10 Information Input Validation Protects T1021.005 VNC
SI-15 Information Output Filtering Protects T1021.005 VNC
SI-03 Malicious Code Protection Protects T1021.005 VNC
SI-04 System Monitoring Protects T1021.005 VNC