title: Suspicious UltraVNC Execution
id: 871b9555-69ca-4993-99d3-35a59f9f3599
status: experimental
author: Bhabesh Raj
date: 2022/03/04
modified: 2022/03/09
description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
references:
    - https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf
    - https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution
tags:
    - attack.lateral_movement
    - attack.g0047
    - attack.t1021.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '-autoreconnect '
            - '-connect '
            - '-id:'
    condition: selection 
falsepositives:
    - Unknown
level: high