ET SCAN Potential VNC Scan 5900-5920

This alert is triggered when detecting communication on ports 5900-5920 from an external source. Ports 5900-5920 are used by the virtual network computing service (VNC), which creates a screen-sharing system opening the network to remote communication. This alert may be triggered when an adversary is attempting to scan the network or gain initial access.

Categories:

Cyber Attack
Radiflow

ID Number

4000715

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg:"ET SCAN Potential VNC Scan 5900-5920"; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002911; classtype:attempted-recon; sid:4000715; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

MITRE ATT&CK Technique

Severity

Low

Recommendations/Investigative actions

It is recommended to limit VNC communication from external networks. If there is no use of VNC, it's recommended to disable the communication.