Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0505: Analytic 0505

Spawning of VNC-related processes (e.g., `x11vnc`, `vncserver`) coupled with authentication logs and port listening behavior on TCP 5900.

EnterpriseAN0505AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about recognizing when a Linux system starts VNC-related remote desktop services, such as x11vnc or vncserver, alongside authentication activity and a listener on TCP 5900. For leaders, the practical issue is remote interactive access: if VNC appears unexpectedly on servers or workstations, it can change the incident response priority because it may indicate an exposed or unauthorized remote-control path.

Executive priority

Treat this as a control-validation opportunity for remote access governance on Linux assets. Security leaders should ask which systems are allowed to run VNC, whether TCP 5900 exposure is expected, and whether SOC teams can correlate process, authentication, and network-listening evidence quickly enough to support incident decisions and audit evidence.

Technical view

For SOC and detection teams, validate Linux telemetry that can correlate three evidence points: VNC-related process creation, authentication log activity, and TCP 5900 listening behavior. Because no ATT&CK tactic or relationships are supplied, this analytic should be handled as a behavior-specific detection signal rather than evidence of a specific intrusion stage or actor. Tuning should distinguish approved administrative VNC use from unexpected service starts, unusual users, or new listeners on systems where VNC is not part of the baseline.

Likely telemetry

  • Linux process creation events showing x11vnc, vncserver, or other VNC-related processes
  • Linux authentication logs associated with local or remote login activity
  • Network socket or service-listening telemetry showing TCP 5900
  • Host inventory or service baseline data identifying systems approved to run VNC
  • Firewall or network flow records showing connections to or from TCP 5900 where available

Detection direction

  • Confirm that Linux endpoint logging captures process names and command execution sufficient to identify VNC-related processes.
  • Validate that authentication logs are centralized and time-correlatable with process and port-listening events.
  • Alert higher when VNC process creation and TCP 5900 listening occur on systems not approved for VNC use.
  • Tune for known administrative tools and maintenance windows to reduce false positives.
  • Review blind spots where port-listening telemetry, auth logs, or Linux process visibility are missing, because the analytic depends on correlation rather than a single signal.

Mitigation priorities

  • Maintain an approved-use inventory for VNC on Linux systems.
  • Restrict VNC exposure and TCP 5900 access according to business need and network segmentation policy.
  • Require strong authentication and administrative accountability for approved remote desktop use.
  • Remove or disable unauthorized VNC services where not operationally required.
  • Use the analytic as compliance and readiness evidence by documenting which systems are monitored for process, authentication, and listening-port behavior.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique description. Its value is in validating whether defenders can observe suspicious or unexpected Linux VNC enablement through correlated host and network evidence.

No official detection text, tactic mapping, relationships, aliases, or labels were supplied. This take is limited to the official description, Linux platform scope, external reference, and object metadata. Local baselines are required to determine whether VNC activity is authorized or suspicious.

Official MITRE ATT&CK definition

Analytic 0505

Spawning of VNC-related processes (e.g., `x11vnc`, `vncserver`) coupled with authentication logs and port listening behavior on TCP 5900.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5c37840875bccc96...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5c37840875bc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0505
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use