Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Company
Platform
Modern NDR
Resources
Company
DETECTION OVERVIEW
Risk Factors
The VNC system is a common target for attackers because VNC provides remote access to other devices over the Remote Frame Buffer (RFB) protocol. If an attacker has VNC credentials for several devices on the network, they can easily open multiple VNC sessions. Then, they could laterally move across the network and possibly gain full remote desktop access to a critical device with an administrator account.
The system might change the risk score for this detection.
Kill Chain
$source attempted an unusually high number of session logins with multiple remote framebuffer (RFB) servers. RFB is a protocol that enables an administrator to remotely control another device with a VNC desktop-sharing system. This spike can be associated with both successful and unsuccessful logins. Investigate to determine if $source is compromised and whether an attacker is attempting to move laterally across the network.
Remote desktop-sharing systems, such as VNC, can enable an attacker to laterally move across a network, from one compromised device to the next, or they can provide an attacker direct access to a critical device. First, the attacker sends a connection request over RFB to VNC-enabled devices and then attempts to log in, either with stolen VNC credentials or by exploiting a vulnerability. If successful, the attacker can remotely run commands or code from the desktop, transfer unauthorized files, attempt data exfiltration, or take control of critical assets.
Only allow inbound external VNC connections from trusted devices
Limit the number of VNC login attempts and then block users that exceed this number
Disable or uninstall VNC on devices that do not require remote access
Enforce multi-factor authentication for remote logins
Implement microsegmentation by adding secure zones based on the zero-trust security model: partition network traffic with endpoint firewalls, virtual or software-defined networks, or physical networks
Network analysis and visibility solutions remain underrepresented in enterprises. Find out why in this preview of a new Wave report.
ExtraHop® Named a Leader in First-Ever Gartner® Magic Quadrant™ for Network Detection and Response
Visit this resource for more information.
This analysis exposes the critical link between an organization's lack of internal visibility and the escalating cost of compromise, demanding an urgent re-evaluation of how core business assets are protected.
Learn why you need to be wary of the claims certain network detection and response providers make about their coverage against the MITRE ATT&CK framework.
Learn how NDR from RevealX helps security teams detect and investigate more adversary TTPs in the MITRE ATT&CK framework than rule-based tools.
