Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). The adversary may then perform actions as the logged-on user.
VNC is a desktop sharing system that allows users to remotely control another computer’s display by relaying mouse and keyboard inputs over the network. VNC does not necessarily use standard user credentials. Instead, a VNC client and server may be configured with sets of credentials that are used only for VNC connections.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-17 | Remote Access | Protects | T1021.005 | VNC | |
AC-2 | Account Management | Protects | T1021.005 | VNC | |
AC-3 | Access Enforcement | Protects | T1021.005 | VNC | |
AC-4 | Information Flow Enforcement | Protects | T1021.005 | VNC | |
AC-6 | Least Privilege | Protects | T1021.005 | VNC | |
CA-7 | Continuous Monitoring | Protects | T1021.005 | VNC | |
CA-8 | Penetration Testing | Protects | T1021.005 | VNC | |
CM-11 | User-installed Software | Protects | T1021.005 | VNC | |
CM-2 | Baseline Configuration | Protects | T1021.005 | VNC | |
CM-3 | Configuration Change Control | Protects | T1021.005 | VNC | |
CM-5 | Access Restrictions for Change | Protects | T1021.005 | VNC | |
CM-6 | Configuration Settings | Protects | T1021.005 | VNC | |
CM-7 | Least Functionality | Protects | T1021.005 | VNC | |
CM-8 | System Component Inventory | Protects | T1021.005 | VNC | |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1021.005 | VNC | |
IA-4 | Identifier Management | Protects | T1021.005 | VNC | |
IA-6 | Authentication Feedback | Protects | T1021.005 | VNC | |
RA-5 | Vulnerability Monitoring and Scanning | Protects | T1021.005 | VNC | |
SC-7 | Boundary Protection | Protects | T1021.005 | VNC | |
SI-10 | Information Input Validation | Protects | T1021.005 | VNC | |
SI-15 | Information Output Filtering | Protects | T1021.005 | VNC | |
SI-3 | Malicious Code Protection | Protects | T1021.005 | VNC | |
SI-4 | System Monitoring | Protects | T1021.005 | VNC | |
action.hacking.variety.Use of stolen creds | Use of stolen authentication credentials (including credential stuffing) | related-to | T1021.005 | Remote Services: VNC | |
action.hacking.vector.Desktop sharing software | Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two | related-to | T1021.005 | Remote Services: VNC | |
amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1021.005 | VNC |
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
aws_network_firewall | AWS Network Firewall | technique_scores | T1021.005 | VNC |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.
References
|