AN0506: Analytic 0506
Detection of VNC-based remote control via `screensharingd` activity in Unified Logs along with concurrent remote login activity or suspicious user interaction.
Analyst context for executives and security teams
This analytic matters for organizations with macOS endpoints because VNC-style remote control can turn a workstation into an interactive access point for an operator. The supplied ATT&CK object focuses on detecting macOS Screen Sharing activity through `screensharingd` in Unified Logs, especially when it appears alongside remote login activity or suspicious user interaction. For leaders, the practical question is whether the organization can reliably tell the difference between approved remote support and unexpected interactive control of a Mac.
Executive priority
Prioritize this where macOS systems support executives, administrators, developers, finance users, or operationally sensitive workflows. The business value is not just detecting Screen Sharing; it is proving that remote administration paths are governed, logged, and reviewable during an incident. Security leaders should ask whether macOS Unified Logs are collected centrally, whether approved remote access is documented, and whether SOC/IR teams can quickly validate who initiated an interactive session and whether it was expected.
Technical view
For SOC and detection engineering teams, validate collection and parsing of macOS Unified Logs for `screensharingd` activity. Because the object calls out concurrent remote login activity or suspicious user interaction, detection should correlate Screen Sharing-related events with other remote access signals and user-session context where available. Tuning should account for legitimate IT helpdesk, device management, and administrative workflows so alerts focus on unexpected hosts, users, times, or combinations of remote login plus interactive control.
Likely telemetry
- macOS Unified Logs containing `screensharingd` activity
- Remote login or remote access authentication/session records from macOS systems
- Endpoint user-session and interactive activity context
- Asset and user ownership context for macOS devices
- Approved remote administration or helpdesk activity records
Detection direction
- Confirm that macOS Unified Logs are actually collected from in-scope endpoints and retained long enough for investigation.
- Build or validate logic that identifies `screensharingd` activity and correlates it with remote login activity or unusual interactive user behavior.
- Tune against known authorized remote support and administration patterns to reduce false positives.
- Prioritize alerts involving privileged users, sensitive assets, unusual hours, unfamiliar source systems, or remote-control activity without a matching support request.
- Document blind spots where macOS endpoints do not forward Unified Logs or where remote access tooling bypasses the available telemetry.
Mitigation priorities
- Inventory where macOS Screen Sharing or VNC-based remote control is permitted and remove unnecessary exposure.
- Restrict remote administration to approved users, managed devices, and documented support processes.
- Ensure macOS logging and endpoint telemetry are centrally collected for systems where remote control risk is material.
- Use identity and access governance to review accounts allowed to perform remote login or remote control.
- Maintain incident response procedures for validating whether a remote session was authorized, who controlled it, and what activity occurred.
Analyst notes and limits
No ATT&CK relationships were supplied, and the object does not provide tactic mappings or detailed detection logic. This take therefore stays focused on the official description: VNC-based remote control detection on macOS using `screensharingd` Unified Log activity plus related remote login or suspicious interaction context.
The supplied object is a detection analytic with sparse fields. It does not establish adversary use, prevalence, impact, specific data sources beyond the description, or guaranteed detection outcomes. Local macOS configuration, logging coverage, remote support practices, and identity context are required to determine operational value.
Analytic 0506
Detection of VNC-based remote control via `screensharingd` activity in Unified Logs along with concurrent remote login activity or suspicious user interaction.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 51f2dd120dad… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0506Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.