T1219: Remote Access Software
| View on MITRE ATT&CK | T1219 |
|---|---|
| Tactic(s) | Command and Control |
Data from MITRE ATT&CK®:
An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as VNC, Team Viewer, AnyDesk, ScreenConnect, LogMein, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)
Remote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.
Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.
Installation of many remote access software may also include persistence (e.g., the software's installation routine creates a Windows Service).
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
AA24-109A StopRansomware: Akira Ransomware
This is a joint #StopRansomware advisory issued by CISA and partners covering Akira ransomware attacks. According to the report, the group has ...
Connect:fun Detailing an exploitation campaign targeting FortiClient EMS via CVE-2023-48788
This report from Vedere Labs at Forescout Research details an exploitation campaign which they have designated Connect:fun. The attacks exploit ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
Detailed Analysis of DarkGate
This post on Medium by S2W presents a technical analysis of DarkGate malware and the operator behind it. According to the report, DarkGate is a ...
StopRansomware: Rhysida Ransomware
This is a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and ...
CACTUS Ransomware: Prickly New Variant Evades Detection
This report by Kroll outlines TTPs and IoCs associated with CACTUS ransomware actors.
Scattered Spider Advisory AA23-320A
This advisory from CISA outlines tactics, techniques and procedures used by the Scattered Spider threat actors, as observed by the FBI up until ...
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog post gives a detailed analysis of two critical vulnerabilities (CVE-2024-1708 and CVE-2024-1709) affecting ConnectWise ScreenConnect ...
StopRansomware: Phobos Ransomware
This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.Filter Network Traffic
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.How to detect this technique
MITRE ATT&CK Data Components
Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)Network Connection Creation (Network Traffic)
Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
ScreenConnect Application Download and Install on Windows
UltraViewer - RAT Execution
MSP360 Connect Execution
AnyDesk Files Detected Test on Windows
NetSupport - RAT Execution
LogMeIn Files Detected Test on Windows
RemotePC Software Execution
TeamViewer Files Detected Test on Windows
UltraVNC Execution
RustDesk Files Detected Test on Windows
GoToAssist Files Detected Test on Windows
Ammyy Admin Software Execution
Sigma Detections for this Technique
Remote Access Tool - AnyDesk Piped Password Via CLI
TeamViewer Domain Query By Non-TeamViewer Application
Anydesk Temporary Artefact
Remote Access Tool - AnyDesk Execution
Hijack Legit RDP Session to Move Laterally
Mstsc.EXE Execution With Local RDP File
Installation of TeamViewer Desktop
Potential Amazon SSM Agent Hijacking
Remote Access Tool - LogMeIn Execution
Remote Access Tool - ScreenConnect Execution
Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
Suspicious Binary Writes Via AnyDesk
Inveigh Execution Artefacts
Suspicious TSCON Start as SYSTEM
Antivirus Exploitation Framework Detection
ScreenConnect Temporary Installation Artefact
Remote Access Tool - UltraViewer Execution
Potential Linux Amazon SSM Agent Hijacking
Remote Access Tool - GoToAssist Execution
Remote Access Tool - AnyDesk Silent Installation
GoToAssist Temporary Installation Artefact
DNS Query To Remote Access Software Domain From Non-Browser App
TacticalRMM Service Installation
Remote Access Tool - NetSupport Execution
Atera Agent Installation
Use of UltraVNC Remote Access Software
Remote Access Tool - Simple Help Execution
Potential Remote Desktop Connection to Non-Domain Host
TeamViewer Remote Session
Remote Access Tool - Anydesk Execution From Suspicious Folder
Suspicious Mstsc.EXE Execution With Local RDP File
Mesh Agent Service Installation
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.