Wazuh is a free, Open Source security platform providing XDR and SIEM capabilities.
For more information on Wazuh, see https://wazuh.com/
To show how RealVNC Server events can be reported in Wazuh, we created the following simple rules to log RealVNC Server authentications and disconnections on Linux and Windows. Both Linux and Windows devices use the default RealVNC Server logging.
This was done purely for demonstration purposes and the rules are purposely very simple.
They do, however, demonstrate how RealVNC Connect server events can be monitored centrally and provide the information that may be useful for security operations including the user connecting, the account email address (in the case of cloud connections), the IP address of the connecting RealVNC Viewer and the permissions granted by RealVNC Server.
Configuring Wazuh Rules
Windows
rules file: vncserver-windows-auth.xml
<group name="windows,windows_application,">
<rule id="100503" level="3">
<if_sid>60600</if_sid>
<field name="win.system.providerName">^VNC Server$</field>
<field name="win.system.eventID">^256$</field>
<match>Connections, authenticated:</match>
<options>no_full_log</options>
<description>RealVNC : VNC Server authentication successful</description>
<mitre>
<id>T1078</id>
<id>T1021</id>
</mitre>
</rule>
<rule id="100504" level="3">
<if_sid>60600</if_sid>
<field name="win.system.providerName">^VNC Server$</field>
<field name="win.system.eventID">^256$</field>
<match>Connections: disconnected:</match>
<options>no_full_log</options>
<description>RealVNC : VNC Server disconnection</description>
</rule>
</group>
Linux
rules file: realvnc-server.xml
<group name="syslog">
<rule id="105900" level="3">
<program_name>vncserver-x11</program_name>
<description>VNC Server rules</description>
</rule>
<rule id="105901" level="3">
<match>Connections: authenticated:</match>
<description>RealVNC : VNC Server authentication successful</description>
<mitre>
<id>T1078</id>
<id>T1021</id>
</mitre>
</rule>
<rule id="105902" level="3">
<match>Connections: disconnected:</match>
<description>RealVNC : VNC Server disconnection</description>
</rule>
</group>
Example events
Below are samples of the events generated using the simple rules above. Pertinent details are in bold:
Windows
Successful authentication
Direct connection to win11x64 from 192.168.1.37, JSON view
{
"cluster": {
"node": "worker01",
"name": "wazuh"
},
"agent": {
"ip": "192.168.1.6",
"name": "win11x64",
"id": "003"
},
"manager": {
"name": "wazuh-worker"
},
"data": {
"win": {
"eventdata": {
"data": "Connections, authenticated: 192.168.1.37::55645 (UDP), as andrew (d permissions)"
},
"system": {
"eventID": "256",
"keywords": "0x80000000000000",
"level": "4",
"channel": "Application",
"opcode": "0",
"message": "\"Connections: authenticated: <IP address redacted> (UDP), as user (d permissions)\"",
"version": "0",
"systemTime": "2023-03-22T13:07:00.9405565Z",
"eventRecordID": "18347",
"threadID": "0",
"computer": "win11x64.grayway.local",
"task": "1",
"processID": "3452",
"severityValue": "INFORMATION",
"providerName": "VNC Server"
}
}
},
"rule": {
"firedtimes": 1,
"mail": false,
"level": 3,
"description": "RealVNC : VNC Server authentication successful",
"groups": [
"windows",
"windows_application"
],
"mitre": {
"technique": [
"Valid Accounts",
"Remote Services"
],
"id": [
"T1078",
"T1021"
],
"tactic": [
"Defense Evasion",
"Initial Access",
"Persistence",
"Privilege Escalation",
"Lateral Movement"
]
},
"id": "100503"
},
"decoder": {
"name": "windows_eventchannel"
},
"input": {
"type": "log"
},
"@timestamp": "2023-03-22T13:07:01.243Z",
"location": "EventChannel",
"id": "1679490421.3636256",
"timestamp": "2023-03-22T13:07:01.243+0000",
"_id": "3yNuCYcBfxLkvmQ5H8Kc"
}
Unsuccessful connection (authentication failure - incorrect username/password)
Direct connection to win11x64 from 192.168.1.37, JSON view
{
"cluster": {
"node": "worker01",
"name": "wazuh"
},
"agent": {
"ip": "192.168.1.6",
"name": "win11x64",
"id": "003"
},
"manager": {
"name": "wazuh-worker"
},
"data": {
"win": {
"eventdata": {
"data": "Connections, disconnected: 192.168.1.37::62213 (UDP) ([AuthFailure] Either the username was not recognised, or the password was incorrect)"
},
"system": {
"eventID": "256",
"keywords": "0x80000000000000",
"level": "4",
"channel": "Application",
"opcode": "0",
"message": "\"Connections: disconnected: 192.168.1.37::62213 (UDP) ([AuthFailure] Either the username was not recognised, or the password was incorrect)\"",
"version": "0",
"systemTime": "2023-03-22T14:28:47.7294381Z",
"eventRecordID": "18366",
"threadID": "0",
"computer": "win11x64.grayway.local",
"task": "1",
"processID": "3452",
"severityValue": "INFORMATION",
"providerName": "VNC Server"
}
}
},
"rule": {
"firedtimes": 1,
"mail": false,
"level": 3,
"description": "RealVNC : VNC Server disconnection",
"groups": [
"windows",
"windows_application"
],
"id": "100504"
},
"decoder": {
"name": "windows_eventchannel"
},
"input": {
"type": "log"
},
"@timestamp": "2023-03-22T14:28:47.909Z",
"location": "EventChannel",
"id": "1679495327.3980121",
"timestamp": "2023-03-22T14:28:47.909+0000",
"_id": "XiO4CYcBfxLkvmQ5-MRq"
}
Authentication timeout events
"message": "\"Connections: disconnected: 192.168.1.37::60526 (UDP) ([IdleTimeout] The authentication period has timed out.)\"",
Linux
RealVNC Connect Cloud connection
Connection to machine named carbon from user with email user@example.com
agent.ip
192.168.1.217
agent.name
carbon
agent.id
001
cluster.node
worker01
cluster.name
wazuh
manager.name
wazuh-worker
rule.firedtimes
1
rule.mail
false
rule.level
3
rule.description
RealVNC : VNC Server authentication successful
rule.groups
syslog
rule.mitre.technique
Valid Accounts, Remote Services
rule.mitre.id
T1078, T1021
rule.mitre.tactic
Defense Evasion, Initial Access, Persistence, Privilege Escalation, Lateral Movement
rule.id
105901
full_log
Mar 22 13:00:46 carbon vncserver-x11[777,root]: Connections: authenticated: user@example.com (from <IP address redacted>, as test (d permissions)
location
/var/log/syslog
Disconnection (cause: viewer closed)
agent.ip
192.168.1.217
agent.name
carbon
agent.id
001
cluster.node
worker01
cluster.name
wazuh
manager.name
wazuh-worker
rule.firedtimes
1
rule.mail
false
rule.level
3
rule.description
RealVNC : VNC Server disconnection
rule.groups
syslog
rule.id
105902
full_log
Mar 22 13:04:13 carbon vncserver-x11[777,root]: Connections: disconnected: user@example.com (from <IP address redacted) ([ViewerClosed] VNC Viewer closed)
location
/var/log/syslog
These security events are displayed in the Wazuh web UI as shown (Windows device shown) :
Comments
Article is closed for comments.