title: Use of UltraVNC Remote Access Software
id: 145322e4-0fd3-486b-81ca-9addc75736d8
status: experimental
description: An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md
author: frack113
date: 2022/10/02
tags:
    - attack.command_and_control
    - attack.t1219
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: VNCViewer
        - Product: UltraVNC VNCViewer
        - Company: UltraVNC
        - OriginalFileName: VNCViewer.exe
    condition: selection
falsepositives:
    - Legitimate use
level: medium