DET0178: Behavioral Detection of Unauthorized VNC Remote Control Sessions
DET0178 is a MITRE detection strategy for identifying unauthorized VNC remote control sessions. Its business value is in helping teams distinguish legitima...
Analyst context for executives and security teams
DET0178 is a MITRE detection strategy for identifying unauthorized VNC remote control sessions. Its business value is in helping teams distinguish legitimate remote administration from remote desktop activity that could enable lateral movement using valid accounts. Because the ATT&CK record provides no official detection logic, organizations should treat this as a validation target rather than an out-of-the-box rule.
Executive priority
Prioritize this where VNC or similar desktop-sharing access is allowed in the environment. The leadership question is whether remote control of Linux, Windows, and macOS systems is governed, logged, and reviewable enough to support incident response, audit evidence, and containment decisions. Weak visibility around remote administration can turn account compromise into broader operational disruption.
Technical view
This detection strategy detects ATT&CK technique T1021.005, VNC, which is associated with lateral movement and applies to Linux, Windows, and macOS in the related technique context. SOC and detection teams should validate whether they can identify VNC/RFB remote-control behavior, distinguish approved administration from unauthorized sessions, and correlate activity with valid-account use. Because the ATT&CK object has no official detection text, local baselining and allow-list context are essential.
Likely telemetry
- Network session metadata showing VNC/RFB remote-control connections between hosts
- Authentication and account-use logs for accounts initiating or receiving remote access
- Endpoint telemetry showing remote-control services, clients, or session activity where available
- Asset inventory identifying systems where VNC use is approved versus unexpected
- Administrative access records or change tickets that explain legitimate remote support activity
Detection direction
- Validate that monitoring can see remote-control sessions across the network segments where VNC is permitted or likely to appear.
- Build context around authorized VNC usage: approved users, source systems, destination systems, maintenance windows, and business purpose.
- Correlate VNC activity with valid-account authentication patterns, especially unusual source hosts or access to systems not normally administered that way.
- Tune for false positives from legitimate IT support and operations teams; unexplained or newly observed VNC paths should receive higher scrutiny.
- Document blind spots explicitly, especially unmanaged endpoints, encrypted or segmented traffic paths, and hosts without endpoint or authentication telemetry.
Mitigation priorities
- Inventory and formally approve where VNC remote control is allowed.
- Restrict VNC access to required users, systems, and network paths rather than allowing broad reachability.
- Strengthen valid-account controls used for remote administration, including least privilege and review of privileged access.
- Ensure logging for remote access, authentication, and endpoint activity is retained long enough to support incident response and compliance evidence.
- Prepare containment procedures for suspicious remote-control sessions, including account review and host isolation decisions.
Analyst notes and limits
The ATT&CK object is a detection strategy named Behavioral Detection of Unauthorized VNC Remote Control Sessions and is related to T1021.005 VNC. The relationship provides the main analytic context: VNC can be used for remote control via the RFB protocol and is associated with lateral movement. The official detection and description fields for DET0178 are not provided, so implementation must be based on local telemetry and approved-use baselines.
No official MITRE detection logic, platforms, tactics, or description are provided for DET0178 itself. Platform and tactic context comes from the related VNC technique only. This take does not assert active exploitation, actor attribution, or guaranteed detection coverage.
Behavioral Detection of Unauthorized VNC Remote Control Sessions
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e8ea62853e35… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0178Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.