Description
An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as VNC, Team Viewer, AnyDesk, ScreenConnect, LogMein, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)
Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome’s Remote Desktop.(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)
Platforms
Mitigations (3)
Disable or Remove Feature or ProgramM1042
Consider disabling unnecessary remote connection functionality, including both unapproved software installations and specific features built into supported applications.
Filter Network TrafficM1037
Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access software.
Execution PreventionM1038
Use application control to mitigate installation and use of unapproved software that can be used for remote access.
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has used legitimate remote monitoring and management (RMM) tools including AnyDesk, NinjaOne, and ... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has downloaded remote management and monitoring software such as “AnyDesk” for post comp... |
| G0120 | Evilnum | [EVILNUM](https://attack.mitre.org/software/S0568) has used the malware variant, TerraTV, to run a legitimate TeamViewer application to connect to com... |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has abused multiple types of legitimate remote access software and tools, such as ScreenConnect, N... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has installed TeamViewer on targeted systems.(Citation: Secureworks BRONZE PRESIDENT December 2... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used a modified TeamViewer client as a command and control channel.(Citation: Securelist Kimsuky ... |
| G0076 | Thrip | [Thrip](https://attack.mitre.org/groups/G0076) used a cloud-based remote access software called LogMeIn for their attacks.(Citation: Symantec Thrip Ju... |
| G0048 | RTM | [RTM](https://attack.mitre.org/groups/G0048) has used a modified version of TeamViewer and Remote Utilities for remote access.(Citation: Group IB RTM ... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has installed NetBird on victim devices to create a mesh network that facilitated control of s... |
| G1015 | Scattered Spider | In addition to directing victims to run remote software, [Scattered Spider](https://attack.mitre.org/groups/G1015) members themselves also deploy RMM ... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has leveraged RMM solutions including ScreenConnect, AteraAgent, SimpleHelp, Action1, Level, and P... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can use the Splashtop remote management service (SRManager.exe) to execute the Linux ransomware binar... |
References
- CrowdStrike Intelligence. (2016). 2015 Global Threat Report. Retrieved April 11, 2018.
- CrySyS Lab. (2013, March 20). TeamSpy – Obshie manevri. Ispolzovat’ tolko s razreshenija S-a. Retrieved April 11, 2018.
- Google. (n.d.). Retrieved March 14, 2024.
- Huntress. (n.d.). Retrieved March 14, 2024.
- Wueest, C., Anand, H. (2017, July). Living off the land and fileless attack techniques. Retrieved April 10, 2018.
Frequently Asked Questions
What is T1219.002 (Remote Desktop Software)?
T1219.002 is a MITRE ATT&CK technique named 'Remote Desktop Software'. It belongs to the Command and Control tactic(s). An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interf...
How can T1219.002 be detected?
Detection of T1219.002 (Remote Desktop Software) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1219.002?
There are 3 documented mitigations for T1219.002. Key mitigations include: Disable or Remove Feature or Program, Filter Network Traffic, Execution Prevention.
Which threat groups use T1219.002?
Known threat groups using T1219.002 include: Storm-0501, Contagious Interview, Evilnum, Storm-1811, Mustang Panda, Kimsuky, Thrip, RTM.