V
Low RiskWindowsvlc.exeEXECUTABLEVLC Media Player - VideoLAN Client Analysis [2026]
VLC is a popular open-source media player. Has been exploited via malicious media files and can potentially be used for screen recording or covert streaming.
Risk Summary
## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Low | | Abuse Potential | Low-Medium | | Prevalence | Very Common | | Risk Score | 30/100 | VLC is a widely-used media player that has had vulnerabilities exploited via malicious media files.
Overview
What is vlc.exe?
VLC (VideoLAN Client) is a free, open-source, cross-platform media player developed by VideoLAN.
Key Characteristics
| Attribute | Value |
|---|---|
| File Name | vlc.exe |
| Developer | VideoLAN |
| Digital Signature | VideoLAN |
| Typical Size | 150-250 MB |
| Type | Media Player |
Technical Details
| Property | Description |
|---|---|
| Process Type | User Application |
| Network Activity | Streaming protocols |
| Codecs | Extensive built-in codec support |
| Features | Recording, transcoding, streaming |
VLC supports virtually all media formats and includes advanced features like streaming and recording.
Normal Behavior
Normal Behavior
Legitimate Usage Patterns
vlc.exe (Main application)
vlc.exe --fullscreen video.mp4 (Fullscreen playback)
vlc.exe --sout (Streaming output)
vlc.exe screen:// (Screen capture)
Expected Characteristics
| Aspect | Expected Behavior |
|---|---|
| Parent Process | explorer.exe |
| User Context | Current user |
| Network | Streaming sources, updates |
| GPU Usage | Moderate during playback |
Command-Line Capabilities
| Feature | Command |
|---|---|
| Stream | --sout="#..." |
| Record | --sout-file=... |
| Capture | screen:// |
| Transcode | --sout-transcode |
Common Locations
C:\Program Files\VideoLAN\VLC\vlc.exeC:\Program Files (x86)\VideoLAN\VLC\vlc.exeSuspicious Indicators
Suspicious Indicators
Red Flags
| Indicator | Concern Level | Description |
|---|---|---|
| Screen capture mode | Medium | Recording screen content |
| Unusual streaming | High | Streaming to unknown server |
| Headless operation | Medium | Running without GUI |
| Malicious media files | High | Exploiting codec vulnerabilities |
Exploitation Indicators
VLC Exploitation Vectors:
- Maliciously crafted video files
- Malformed subtitles (CVE-2017-10699)
- Heap overflow via media files
- Directory traversal in archives
Streaming Abuse
| Pattern | Concern |
|---|---|
| screen:// capture | Screen recording |
| Unknown sout destination | Exfiltration |
| webcam:// access | Camera recording |
| Scheduled streaming | Surveillance |
Abuse Techniques
Abuse Techniques
Screen Recording
:: VLC screen recording
vlc.exe screen:// --sout="#transcode{vcodec=h264}:file{dst=recording.mp4}"
:: Stream screen to remote server
vlc.exe screen:// --sout="#transcode{vcodec=h264}:http{mux=ts,dst=:8080/}"
Exploitation via Media Files
Media File Exploit:
1. Craft malicious video/subtitle file
2. Victim opens with VLC
3. Vulnerability triggered
4. Code execution achieved
5. Malware deployed
Remote Streaming
| Technique | Implementation |
|---|---|
| Screen Capture | screen:// source with network output |
| Webcam Capture | dshow:// with streaming |
| Audio Recording | Audio capture and streaming |
| Desktop Surveillance | Continuous recording |
Command Injection Potential
Historical VLC Issues:
- Subtitle parsing vulnerabilities
- Playlist parsing flaws
- Media file parser bugs
- Remote stream exploitation
Detection Guidance
Detection Guidance
Sysmon Configuration
<RuleGroup name="VLC Monitoring" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="end with">vlc.exe</Image>
<CommandLine condition="contains">screen://</CommandLine>
</ProcessCreate>
<ProcessCreate onmatch="include">
<Image condition="end with">vlc.exe</Image>
<CommandLine condition="contains">--sout</CommandLine>
</ProcessCreate>
</RuleGroup>
Sigma Rule
title: VLC Screen Capture or Streaming
status: experimental
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\vlc.exe'
suspicious:
CommandLine|contains:
- 'screen://'
- '--sout'
- 'webcam'
condition: selection and suspicious
falsepositives:
- Legitimate screencasting
- Media server usage
level: medium
KQL Query
DeviceProcessEvents
| where FileName =~ "vlc.exe"
| where ProcessCommandLine has_any ("screen://", "--sout", "webcam")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName
// VLC network streaming
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "vlc.exe"
| where RemotePort in (8080, 8554, 554) // Common streaming ports
| project Timestamp, DeviceName, RemoteIP, RemotePort
Remediation Steps
Remediation Steps
Version Management
# Check VLC version
$vlcPath = "C:\Program Files\VideoLAN\VLC\vlc.exe"
if (Test-Path $vlcPath) {
(Get-Item $vlcPath).VersionInfo.FileVersion
}
# Ensure VLC is updated
# Many vulnerabilities fixed in newer versions
Security Considerations
| Control | Implementation |
|---|---|
| Keep Updated | Patch known vulnerabilities |
| Block screen:// | Prevent screen capture via policy |
| Monitor sout | Alert on streaming commands |
| Restrict network | Control VLC network access |
Investigation Checklist
Investigation Checklist
Usage Analysis
- What is VLC being used for?
- Are there screen capture commands?
- Is streaming output configured?
- What files are being played?
Version Check
- What version of VLC is installed?
- Are there known vulnerabilities?
- When was it last updated?
Network Activity
- Is VLC making network connections?
- Are there streaming outputs?
- What ports are being used?
- Who are the connection targets?
Exploitation Check
- Were any suspicious media files opened?
- Are there unusual subtitle files?
- Did VLC crash unexpectedly?