Listen to this Post
During a recent incident response engagement, an attacker installed UltraVNC as a backdoor on a domain controller. Forensic analysis revealed that the attacker logged in from an IP address belonging to M247. Remote Monitoring and Management (RMM) tools like UltraVNC often generate log files that are crucial for investigations. The relevant log file for UltraVNC was found at:
C:\ProgramData\Packages\uvnc bvba\UltraVNC\mslogon.log
For additional artifacts and forensic details, JPCERT has published a comprehensive presentation:
JPCERT UltraVNC Analysis
You Should Know:
Detecting UltraVNC Backdoor Activity
1. Check for UltraVNC Installation
Get-ChildItem "C:\Program Files\", "C:\ProgramData\" -Recurse -Include vnc, ultravnc -ErrorAction SilentlyContinue
2. Analyze Log Files
type "C:\ProgramData\Packages\uvnc bvba\UltraVNC\mslogon.log"
3. Check Network Connections
netstat -ano | findstr "5900 5800" Default VNC ports
4. Review Scheduled Tasks for Persistence
Get-ScheduledTask | Where-Object { $<em>.TaskPath -like "vnc" -or $</em>.Actions -like "ultravnc" }
5. Hunt for Suspicious Processes
tasklist /svc | findstr /i "vnc"
6. Extract Registry Keys
reg query HKLM\SOFTWARE /f "UltraVNC" /s
7. Check Firewall Rules
Get-NetFirewallRule | Where-Object { $_.DisplayName -like "vnc" }
8. Memory Analysis (Using Volatility)
volatility -f memory.dump --profile=Win10x64_19041 pslist | grep -i vnc
9. Block Malicious IPs
New-NetFirewallRule -DisplayName "Block M247 Attacker IP" -Direction Inbound -RemoteAddress 1.2.3.4 -Action Block
10. Remove UltraVNC Backdoor
Stop-Process -Name "uvnc_service" -Force Remove-Item "C:\Program Files\UltraVNC\" -Recurse -Force
What Undercode Say
Attackers frequently abuse legitimate remote access tools like UltraVNC for persistence. Forensic artifacts such as log files (mslogon.log), registry keys, and network connections are critical for detection. Organizations should:
– Monitor default VNC ports (5900, 5800).
– Restrict unauthorized RMM tool installations via GPO.
– Implement EDR solutions to detect unusual remote access patterns.
– Regularly audit scheduled tasks and services.
For deeper analysis, refer to JPCERT’s guide on RMM tool forensics.
Expected Output:
- Detection of UltraVNC processes (
uvnc_service.exe). - Identification of malicious log entries in
mslogon.log. - Blocking attacker IPs via firewall rules.
- Removal of backdoor persistence mechanisms.
Prediction
As attackers increasingly abuse RMM tools, defenders will need enhanced logging and behavioral detection to identify malicious remote access. Future incidents may involve more sophisticated obfuscation techniques, requiring memory forensics and anomaly-based detection.
References:
Reported By: Stephan Berger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
