Description: Looks for the VNC service running on machines. This is used often when attackers gain access to a machine, running VNC to allow them to interactively access a machine.
What The Data Shows: VNC service is running on a machine.
SQL:
SELECT display_name,status,s.pid,p.path
FROM services AS s
JOIN processes AS p
USING(pid)
WHERE s.name LIKE "%vnc%";