AN0504: Analytic 0504
Detection of VNC service or executable starting unexpectedly, followed by user session creation and interactive desktop activity (mouse/keyboard simulation).
Analyst context for executives and security teams
This analytic matters because unexpected VNC activity on Windows can indicate an unauthorized interactive remote desktop session, not just background malware execution. For leaders, the key issue is whether the organization can quickly distinguish approved remote support from suspicious hands-on-keyboard activity before it affects business operations or incident response decisions.
Executive priority
Prioritize this as a control-validation and response-readiness question: do security teams have evidence to prove when VNC starts unexpectedly, who initiated or used the session, and whether interactive desktop activity followed? This supports business continuity, audit defensibility, and incident triage by separating legitimate administration from potentially unauthorized remote access. Because ATT&CK provides no tactic mapping or detection logic here, organizations should treat it as a detection engineering prompt rather than a complete rule.
Technical view
For Windows environments, validate monitoring around VNC service or executable start events, followed by user session creation and signs of interactive desktop activity such as mouse or keyboard simulation. SOC teams should baseline approved VNC deployments, support workflows, service names, executable paths, and expected users. IR teams should be prepared to correlate process/service activity with session evidence and endpoint activity to determine whether the access was authorized.
Likely telemetry
- Windows service start and configuration events
- Process execution telemetry for VNC executables
- Endpoint detection and response process and session data
- Windows logon or user session creation events
- Interactive desktop activity indicators, including mouse or keyboard simulation where available
Detection direction
- Build or validate correlation that looks for unexpected VNC service or executable start followed by user session creation and interactive desktop activity.
- Tune against known remote support tools, approved maintenance windows, help desk workflows, and authorized administrator accounts.
- Investigate mismatches between approved VNC inventory and observed executable paths, service names, users, or hosts.
- Avoid relying on process start alone; the ATT&CK description emphasizes the sequence of VNC start, session creation, and interactive desktop activity.
- Document blind spots where endpoint tooling cannot observe user session creation or mouse/keyboard simulation.
Mitigation priorities
- Maintain an approved inventory of VNC or equivalent remote access software on Windows systems.
- Restrict who can install, start, or administer remote desktop support services.
- Require change control or ticket evidence for legitimate remote support sessions.
- Harden endpoint logging and EDR collection for service starts, process execution, and user session activity.
- Review incident response playbooks for rapid validation of authorized versus unauthorized interactive remote access.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and includes no relationship context, tactic mapping, or official detection logic. The most useful implementation is a locally tuned correlation using Windows endpoint and session telemetry, with strong allowlisting for legitimate remote support activity.
This take is limited to the official fields provided. It does not establish adversary attribution, active exploitation, impact, or guaranteed detection. Local software inventory, logging coverage, remote support processes, and endpoint telemetry quality are required to determine practical coverage.
Analytic 0504
Detection of VNC service or executable starting unexpectedly, followed by user session creation and interactive desktop activity (mouse/keyboard simulation).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0194aeb15260… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0504Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.