Home
ATT&CK Techniques
T1021.005 VNC

T1021.005 VNC Mappings

Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)

VNC differs from Remote Desktop Protocol as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)

Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1021.005	VNC
CM-06	Configuration Settings	mitigates	T1021.005	VNC
CM-05	Access Restrictions for Change	mitigates	T1021.005	VNC
AC-17	Remote Access	mitigates	T1021.005	VNC
CM-11	User-installed Software	mitigates	T1021.005	VNC
CM-03	Configuration Change Control	mitigates	T1021.005	VNC
IA-06	Authentication Feedback	mitigates	T1021.005	VNC
IA-04	Identifier Management	mitigates	T1021.005	VNC
RA-05	Vulnerability Monitoring and Scanning	mitigates	T1021.005	VNC
CM-08	System Component Inventory	mitigates	T1021.005	VNC
SI-10	Information Input Validation	mitigates	T1021.005	VNC
SI-15	Information Output Filtering	mitigates	T1021.005	VNC
SI-03	Malicious Code Protection	mitigates	T1021.005	VNC
CM-02	Baseline Configuration	mitigates	T1021.005	VNC
CM-02	Baseline Configuration	mitigates	T1021.005	VNC
IA-02	Identification and Authentication (Organizational Users)	mitigates	T1021.005	VNC
CM-07	Least Functionality	mitigates	T1021.005	VNC
SI-04	System Monitoring	mitigates	T1021.005	VNC
AC-02	Account Management	mitigates	T1021.005	VNC
AC-03	Access Enforcement	mitigates	T1021.005	VNC
AC-04	Information Flow Enforcement	mitigates	T1021.005	VNC
AC-06	Least Privilege	mitigates	T1021.005	VNC
SC-07	Boundary Protection	mitigates	T1021.005	VNC

AWS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
amazon_virtual_private_cloud	Amazon Virtual Private Cloud	technique_scores	T1021.005	VNC	Comments VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score. References
aws_network_firewall	AWS Network Firewall	technique_scores	T1021.005	VNC	Comments AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack. References