Sigma rules for CVE-2026-4962
2 rules · scoped to cve · back to CVE-2026-4962
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious UltraVNC Execution
id: 871b9555-69ca-4993-99d3-35a59f9f3599
status: test
description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
references:
- https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine
- https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution
- https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html
author: Bhabesh Raj
date: 2022-03-04
modified: 2022-03-09
tags:
- attack.lateral-movement
- attack.g0047
- attack.t1021.005
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-autoreconnect '
- '-connect '
- '-id:'
condition: selection
falsepositives:
- Unknown
level: high
title: Use of UltraVNC Remote Access Software
id: 145322e4-0fd3-486b-81ca-9addc75736d8
status: test
description: An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
references:
- https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md
author: frack113
date: 2022-10-02
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: VNCViewer
- Product: UltraVNC VNCViewer
- Company: UltraVNC
- OriginalFileName: VNCViewer.exe
condition: selection
falsepositives:
- Legitimate use
level: medium