logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Detecting VNC services installed/running

Status: Approved Submitted by on ‎07-23-2019 04:00 PM
Description: Looks for the VNC service running on machines. This is used often when attackers gain access to a machine, running VNC to allow them to interactively access a machine.
What The Data Shows: VNC service is running on a machine.
SQL:
SELECT display_name,status,s.pid,p.path
FROM services AS s
JOIN processes AS p
USING(pid)
WHERE s.name LIKE "%vnc%";
3 Comments
jnelson
Carbon Black Employee
‎07-25-2019 06:21 PM
‎07-25-2019 06:21 PM
Status changed to: Under Review

@mjomha would you consider adding a join to the processes table to get the path?

SELECT display_name,status,s.pid,p.path
FROM services AS s
JOIN processes AS p
    USING(pid)
WHERE s.name LIKE "%vnc%";
mjomha
Contributor
‎07-25-2019 07:08 PM
‎07-25-2019 07:08 PM

Thanks!

 

I was aiming to just find vnc service running on machines if an environment does not use vnc at all but in cases where vnc might possibly be legitimately used in an environment having the path would help identify if it’s legit or maliciously being used.

jnelson
Carbon Black Employee
‎07-30-2019 08:52 AM
‎07-30-2019 08:52 AM
Status changed to: Approved
 
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.