Centralising RealVNC Server logs and reporting events with Wazuh

Follow

Wazuh is a free, Open Source security platform providing XDR and SIEM capabilities.

For more information on Wazuh, see https://wazuh.com/

To show how RealVNC Server events can be reported in Wazuh, we created the following simple rules to log RealVNC Server authentications and disconnections on Linux and Windows. Both Linux and Windows devices use the default RealVNC Server logging.

This was done purely for demonstration purposes and the rules are purposely very simple.

They do, however, demonstrate how RealVNC Connect server events can be monitored centrally and provide the information that may be useful for security operations including the user connecting, the account email address (in the case of cloud connections), the IP address of the connecting RealVNC Viewer and the permissions granted by RealVNC Server.

Configuring Wazuh Rules

Windows

rules file: vncserver-windows-auth.xml

<group name="windows,windows_application,">
<rule id="100503" level="3">
<if_sid>60600</if_sid>
<field name="win.system.providerName">^VNC Server$</field>
<field name="win.system.eventID">^256$</field>
<match>Connections, authenticated:</match>
<options>no_full_log</options>
<description>RealVNC : VNC Server authentication successful</description>
<mitre>
<id>T1078</id>
<id>T1021</id>
</mitre>
</rule>

<rule id="100504" level="3">
<if_sid>60600</if_sid>
<field name="win.system.providerName">^VNC Server$</field>
<field name="win.system.eventID">^256$</field>
<match>Connections: disconnected:</match>
<options>no_full_log</options>
<description>RealVNC : VNC Server disconnection</description>
</rule>
</group>

Linux

rules file: realvnc-server.xml

<group name="syslog">
<rule id="105900" level="3">
<program_name>vncserver-x11</program_name>
<description>VNC Server rules</description>
</rule>

<rule id="105901" level="3">
<match>Connections: authenticated:</match>
<description>RealVNC : VNC Server authentication successful</description>
<mitre>
<id>T1078</id>
<id>T1021</id>
</mitre>
</rule>

<rule id="105902" level="3">
<match>Connections: disconnected:</match>
<description>RealVNC : VNC Server disconnection</description>
</rule>
</group>

Example events

Below are samples of the events generated using the simple rules above. Pertinent details are in bold:

Windows

Successful authentication

Direct connection to win11x64 from 192.168.1.37, JSON view

{
"cluster": {
"node": "worker01",
"name": "wazuh"
},
"agent": {
"ip": "192.168.1.6",
"name": "win11x64",
"id": "003"
},
"manager": {
"name": "wazuh-worker"
},
"data": {
"win": {
"eventdata": {
"data": "Connections, authenticated: 192.168.1.37::55645 (UDP), as andrew (d permissions)"
},
"system": {
"eventID": "256",
"keywords": "0x80000000000000",
"level": "4",
"channel": "Application",
"opcode": "0",
"message": "\"Connections: authenticated: <IP address redacted> (UDP), as user (d permissions)\"",
"version": "0",
"systemTime": "2023-03-22T13:07:00.9405565Z",
"eventRecordID": "18347",
"threadID": "0",
"computer": "win11x64.grayway.local",
"task": "1",
"processID": "3452",
"severityValue": "INFORMATION",
"providerName": "VNC Server"
}
}
},
"rule": {
"firedtimes": 1,
"mail": false,
"level": 3,
"description": "RealVNC : VNC Server authentication successful",
"groups": [
"windows",
"windows_application"
],
"mitre": {
"technique": [
"Valid Accounts",
"Remote Services"
],
"id": [
"T1078",
"T1021"
],
"tactic": [
"Defense Evasion",
"Initial Access",
"Persistence",
"Privilege Escalation",
"Lateral Movement"
]
},
"id": "100503"
},
"decoder": {
"name": "windows_eventchannel"
},
"input": {
"type": "log"
},
"@timestamp": "2023-03-22T13:07:01.243Z",
"location": "EventChannel",
"id": "1679490421.3636256",
"timestamp": "2023-03-22T13:07:01.243+0000",
"_id": "3yNuCYcBfxLkvmQ5H8Kc"
}

Unsuccessful connection (authentication failure - incorrect username/password)

Direct connection to win11x64 from 192.168.1.37, JSON view

{
"cluster": {
"node": "worker01",
"name": "wazuh"
},
"agent": {
"ip": "192.168.1.6",
"name": "win11x64",
"id": "003"
},
"manager": {
"name": "wazuh-worker"
},
"data": {
"win": {
"eventdata": {
"data": "Connections, disconnected: 192.168.1.37::62213 (UDP) ([AuthFailure] Either the username was not recognised, or the password was incorrect)"
},
"system": {
"eventID": "256",
"keywords": "0x80000000000000",
"level": "4",
"channel": "Application",
"opcode": "0",
"message": "\"Connections: disconnected: 192.168.1.37::62213 (UDP) ([AuthFailure] Either the username was not recognised, or the password was incorrect)\"",
"version": "0",
"systemTime": "2023-03-22T14:28:47.7294381Z",
"eventRecordID": "18366",
"threadID": "0",
"computer": "win11x64.grayway.local",
"task": "1",
"processID": "3452",
"severityValue": "INFORMATION",
"providerName": "VNC Server"
}
}
},
"rule": {
"firedtimes": 1,
"mail": false,
"level": 3,
"description": "RealVNC : VNC Server disconnection",
"groups": [
"windows",
"windows_application"
],
"id": "100504"
},
"decoder": {
"name": "windows_eventchannel"
},
"input": {
"type": "log"
},
"@timestamp": "2023-03-22T14:28:47.909Z",
"location": "EventChannel",
"id": "1679495327.3980121",
"timestamp": "2023-03-22T14:28:47.909+0000",
"_id": "XiO4CYcBfxLkvmQ5-MRq"
}

Authentication timeout events

"message": "\"Connections: disconnected: 192.168.1.37::60526 (UDP) ([IdleTimeout] The authentication period has timed out.)\"",

Linux

RealVNC Connect Cloud connection

Connection to machine named carbon from user with email user@example.com


agent.ip
192.168.1.217
agent.name
carbon
agent.id
001
cluster.node
worker01
cluster.name
wazuh
manager.name
wazuh-worker
rule.firedtimes
1

rule.mail
false
rule.level
3
rule.description
RealVNC : VNC Server authentication successful
rule.groups
syslog
rule.mitre.technique
Valid Accounts, Remote Services
rule.mitre.id
T1078, T1021
rule.mitre.tactic
Defense Evasion, Initial Access, Persistence, Privilege Escalation, Lateral Movement
rule.id
105901
full_log
Mar 22 13:00:46 carbon vncserver-x11[777,root]: Connections: authenticated: user@example.com (from <IP address redacted>, as test (d permissions)
location
/var/log/syslog

Disconnection (cause: viewer closed)

agent.ip
192.168.1.217
agent.name
carbon
agent.id
001
cluster.node
worker01
cluster.name
wazuh
manager.name
wazuh-worker
rule.firedtimes
1
rule.mail
false
rule.level
3
rule.description
RealVNC : VNC Server disconnection
rule.groups
syslog
rule.id
105902
full_log
Mar 22 13:04:13 carbon vncserver-x11[777,root]: Connections: disconnected: user@example.com (from <IP address redacted) ([ViewerClosed] VNC Viewer closed)
location
/var/log/syslog



These security events are displayed in the Wazuh web UI as shown (Windows device shown) :

wazuh-events.png

 

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.