AN0715: Analytic 0715
Execution of known or custom VNC/remote desktop daemons or tunneling agents that initiate external communication after launch
Analyst context for executives and security teams
This analytic focuses on Linux systems where VNC, remote desktop daemons, or tunneling agents are launched and then initiate outbound communication. For leaders, the decision value is remote access governance: unmanaged or unexpected remote-control services can create operational and incident-response risk even when the tool itself is legitimate.
Executive priority
Prioritize this as a control-validation item for Linux estates that support administration, production workloads, or sensitive operations. Executives should ask whether remote desktop and tunneling tools are approved, inventoried, logged, and reviewable during an incident. The absence of official ATT&CK detection detail means teams should not assume coverage exists; they should prove what telemetry can show process launch plus subsequent external network activity.
Technical view
SOC and IR teams should validate whether Linux telemetry can correlate execution of known or custom VNC/remote desktop daemons or tunneling agents with outbound connections after launch. Because no tactic or relationship context is supplied, treat this as behavior-level monitoring rather than a complete intrusion narrative. Detection engineering should focus on baselining approved remote-access software, identifying unusual parent processes, service locations, command lines, users, destinations, and first-seen binaries or network endpoints.
Likely telemetry
- Linux process execution telemetry, including binary name, path, command line, user, parent process, and timestamp
- Linux service or daemon start records where available
- Network connection telemetry showing outbound destination IPs, ports, domains, timing, and initiating process where available
- Endpoint file metadata for newly introduced or uncommon remote desktop or tunneling binaries
- Authentication and user-session context associated with the process launch
Detection direction
- Validate correlation between process launch and external communication after launch; either signal alone may be noisy.
- Build and maintain an allowlist or inventory of approved VNC, remote desktop, and tunneling tools used on Linux systems.
- Tune for uncommon binary paths, unexpected users, unusual parent processes, new external destinations, or remote-access tools running on systems where they are not expected.
- Account for legitimate administration activity to reduce false positives, especially on jump hosts, engineering workstations, and managed Linux servers.
- Identify telemetry blind spots where network logs cannot be tied back to the originating Linux process or where process command-line capture is unavailable.
Mitigation priorities
- Establish policy and inventory for approved Linux remote desktop and tunneling software.
- Restrict installation and execution of unapproved remote-access daemons and tunneling agents using standard endpoint and administrative controls.
- Limit outbound connectivity from Linux systems to required destinations and monitor exceptions.
- Ensure Linux endpoint logging and network telemetry are retained and accessible for incident response.
- Review privileged accounts and service configurations that can start persistent remote-access daemons.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Linux and describes execution of VNC/remote desktop daemons or tunneling agents that initiate external communication. No official detection logic, tactics, techniques, mitigations, or relationships were supplied, so this take frames practical validation around the described behavior only.
Coverage and priority depend on local Linux usage patterns, approved administration tools, network architecture, and telemetry depth. This summary does not assert active exploitation, attribution, impact, or guaranteed detection because those details are not present in the supplied ATT&CK fields.
Analytic 0715
Execution of known or custom VNC/remote desktop daemons or tunneling agents that initiate external communication after launch
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1816445d3928… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0715Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.