Logging VNC Server events using Wazuh

Follow

 

Wazuh is a free, Open Source security platform providing XDR and SIEM capabilities.

For more information on Wazuh, see https://wazuh.com/

To show how VNC Server events can be reported in Wazuh, we created the following simple rules to log VNC Server authentications and disconnections on Linux and Windows. Both Linux and Windows devices use the default VNC Server logging.

This was done purely for demonstration purposes and the rules are purposely very simple.

They do, however, demonstrate how VNC Connect server events can be monitored centrally and provide the information that may be useful for security operations including the user connecting, the account email address (in the case of cloud connections), the IP address of the connecting VNC Viewer and the permissions granted by VNC Server.

Windows:

rules file: vncserver-windows-auth.xml

<group name="windows,windows_application,">
<rule id="100503" level="3">
<if_sid>60600</if_sid>
<field name="win.system.providerName">^VNC Server$</field>
<field name="win.system.eventID">^256$</field>
<match>Connections, authenticated:</match>
<options>no_full_log</options>
<description>RealVNC : VNC Server authentication successful</description>
<mitre>
<id>T1078</id>
<id>T1021</id>
</mitre>
</rule>

<rule id="100504" level="3">
<if_sid>60600</if_sid>
<field name="win.system.providerName">^VNC Server$</field>
<field name="win.system.eventID">^256$</field>
<match>Connections: disconnected:</match>
<options>no_full_log</options>
<description>RealVNC : VNC Server disconnection</description>
</rule>
</group>


Linux:

rules file: realvnc-server.xml

<group name="syslog">
<rule id="105900" level="3">
<program_name>vncserver-x11</program_name>
<description>VNC Server rules</description>
</rule>

<rule id="105901" level="3">
<match>Connections: authenticated:</match>
<description>RealVNC : VNC Server authentication successful</description>
<mitre>
<id>T1078</id>
<id>T1021</id>
</mitre>
</rule>

<rule id="105902" level="3">
<match>Connections: disconnected:</match>
<description>RealVNC : VNC Server disconnection</description>
</rule>
</group>

 

Example events


Below are samples of the events generated using the simple rules above. Pertinent details are in bold:

Windows

(Successful authentication, Direct connection to win11x64 from 192.168.1.37, JSON view)

{
"cluster": {
"node": "worker01",
"name": "wazuh"
},
"agent": {
"ip": "192.168.1.6",
"name": "win11x64",
"id": "003"
},
"manager": {
"name": "wazuh-worker"
},
"data": {
"win": {
"eventdata": {
"data": "Connections, authenticated: 192.168.1.37::55645 (UDP), as andrew (d permissions)"
},
"system": {
"eventID": "256",
"keywords": "0x80000000000000",
"level": "4",
"channel": "Application",
"opcode": "0",
"message": "\"Connections: authenticated: <IP address redacted> (UDP), as user (d permissions)\"",
"version": "0",
"systemTime": "2023-03-22T13:07:00.9405565Z",
"eventRecordID": "18347",
"threadID": "0",
"computer": "win11x64.grayway.local",
"task": "1",
"processID": "3452",
"severityValue": "INFORMATION",
"providerName": "VNC Server"
}
}
},
"rule": {
"firedtimes": 1,
"mail": false,
"level": 3,
"description": "RealVNC : VNC Server authentication successful",
"groups": [
"windows",
"windows_application"
],
"mitre": {
"technique": [
"Valid Accounts",
"Remote Services"
],
"id": [
"T1078",
"T1021"
],
"tactic": [
"Defense Evasion",
"Initial Access",
"Persistence",
"Privilege Escalation",
"Lateral Movement"
]
},
"id": "100503"
},
"decoder": {
"name": "windows_eventchannel"
},
"input": {
"type": "log"
},
"@timestamp": "2023-03-22T13:07:01.243Z",
"location": "EventChannel",
"id": "1679490421.3636256",
"timestamp": "2023-03-22T13:07:01.243+0000",
"_id": "3yNuCYcBfxLkvmQ5H8Kc"
}

 

Unsucessful connection (authentication failure - incorrect username/password) on direct connection to win11x64 from 192.168.1.37, JSON view)

{
"cluster": {
"node": "worker01",
"name": "wazuh"
},
"agent": {
"ip": "192.168.1.6",
"name": "win11x64",
"id": "003"
},
"manager": {
"name": "wazuh-worker"
},
"data": {
"win": {
"eventdata": {
"data": "Connections, disconnected: 192.168.1.37::62213 (UDP) ([AuthFailure] Either the username was not recognised, or the password was incorrect)"
},
"system": {
"eventID": "256",
"keywords": "0x80000000000000",
"level": "4",
"channel": "Application",
"opcode": "0",
"message": "\"Connections: disconnected: 192.168.1.37::62213 (UDP) ([AuthFailure] Either the username was not recognised, or the password was incorrect)\"",
"version": "0",
"systemTime": "2023-03-22T14:28:47.7294381Z",
"eventRecordID": "18366",
"threadID": "0",
"computer": "win11x64.grayway.local",
"task": "1",
"processID": "3452",
"severityValue": "INFORMATION",
"providerName": "VNC Server"
}
}
},
"rule": {
"firedtimes": 1,
"mail": false,
"level": 3,
"description": "RealVNC : VNC Server disconnection",
"groups": [
"windows",
"windows_application"
],
"id": "100504"
},
"decoder": {
"name": "windows_eventchannel"
},
"input": {
"type": "log"
},
"@timestamp": "2023-03-22T14:28:47.909Z",
"location": "EventChannel",
"id": "1679495327.3980121",
"timestamp": "2023-03-22T14:28:47.909+0000",
"_id": "XiO4CYcBfxLkvmQ5-MRq"
}

 

Authentication time out events appear as :

"message": "\"Connections: disconnected: 192.168.1.37::60526 (UDP) ([IdleTimeout] The authentication period has timed out.)\"",

 

Linux

VNC Connect Cloud connection to machine named carbon from user with email user@example.com


agent.ip
192.168.1.217
agent.name
carbon
agent.id
001
cluster.node
worker01
cluster.name
wazuh
manager.name
wazuh-worker
rule.firedtimes
1

rule.mail
false
rule.level
3
rule.description
RealVNC : VNC Server authentication successful
rule.groups
syslog
rule.mitre.technique
Valid Accounts, Remote Services
rule.mitre.id
T1078, T1021
rule.mitre.tactic
Defense Evasion, Initial Access, Persistence, Privilege Escalation, Lateral Movement
rule.id
105901
full_log
Mar 22 13:00:46 carbon vncserver-x11[777,root]: Connections: authenticated: user@example.com (from <IP address redacted>, as test (d permissions)
location
/var/log/syslog



Disconnection (cause: viewer closed)

 

agent.ip
192.168.1.217
agent.name
carbon
agent.id
001
cluster.node
worker01
cluster.name
wazuh
manager.name
wazuh-worker
rule.firedtimes
1
rule.mail
false
rule.level
3
rule.description
RealVNC : VNC Server disconnection
rule.groups
syslog
rule.id
105902
full_log
Mar 22 13:04:13 carbon vncserver-x11[777,root]: Connections: disconnected: user@example.com (from <IP address redacted) ([ViewerClosed] VNC Viewer closed)
location
/var/log/syslog




These security events are displayed in the Wazuh web UI as shown (Windows device shown) :

wazuh-events.png

 

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.