Description
An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line interface) allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.
Remote access tools may be installed and used post-compromise as an alternate communications channel for redundant access or to establish an interactive remote desktop session with the target system. It may also be used as a malware component to establish a reverse connection or back-connect to a service or adversary-controlled system.
Installation of many remote access tools may also include persistence (e.g., the software's installation routine creates a Windows Service). Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)
Platforms
Sub-Techniques (3)
Mitigations (5)
Execution PreventionM1038
Use application control to mitigate installation and use of unapproved software that can be used for remote access.
Filter Network TrafficM1037
Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access software.
Limit Hardware InstallationM1034
Block the use of IP-based KVM devices within the network if they are not required.
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services.
Disable or Remove Feature or ProgramM1042
Consider disabling unnecessary remote connection functionality, including both unapproved software installations and specific features built into supported applications.
Threat Groups (12)
| ID | Group | Context |
|---|---|---|
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has established tmate sessions for C2 communications.(Citation: Unit 42 Hildegard Malware)(Citation: ... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has incorporated remote monitoring and management (RMM) tools into their operations including [ngrok](... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has utilized the remote management tool Atera to download malware to a compromised system.(Citation: Man... |
| G0115 | GOLD SOUTHFIELD | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deplo... |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has used AnyDesk and PuTTY on compromised systems.(Citation: Huntress INC Ransom Group August 202... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has leveraged Remote Access Software for lateral movement and data exfiltration.(Citation: Palo ... |
| G0105 | DarkVishnya | [DarkVishnya](https://attack.mitre.org/groups/G0105) used DameWare Mini Remote Control for lateral movement.(Citation: Securelist DarkVishnya Dec 2018... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used remote administration tools or remote industrial control system client software for ex... |
| G0008 | Carbanak | [Carbanak](https://attack.mitre.org/groups/G0008) used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target syst... |
| G1024 | Akira | [Akira](https://attack.mitre.org/groups/G1024) uses legitimate utilities such as AnyDesk and PuTTy for maintaining remote access to victim environment... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) has used tools such as AnyDesk in victim environments.(Citation: Picus BlackByte 2022)(Citation: Mi... |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) used the Ammyy Admin tool as well as TeamViewer for remote access, including to preserve remote ... |
Associated Software (7)
| ID | Name | Type | Context |
|---|---|---|---|
| S0384 | Dridex | Malware | [Dridex](https://attack.mitre.org/software/S0384) contains a module for VNC.(Citation: Dell Dridex Oct 2015) |
| S0148 | RTM | Malware | [RTM](https://attack.mitre.org/software/S0148) has the capability to download a VNC module from command and control (C2).(Citation: ESET RTM Feb 2017) |
| S0030 | Carbanak | Malware | [Carbanak](https://attack.mitre.org/software/S0030) has a plugin for VNC and Ammyy Admin Tool.(Citation: FireEye CARBANAK June 2017) |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) uses vncDll module to remote control the victim machine.(Citation: ESET Trickbot Oct 2020)(Citatio... |
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) has established tmate sessions for C2 communications.(Citation: Unit 42 Hildegard Malware) |
| S1245 | InvisibleFerret | Malware | [InvisibleFerret](https://attack.mitre.org/software/S1245) has utilized remote access software including AnyDesk client through the “adc” module.(Cita... |
| S0554 | Egregor | Malware | [Egregor](https://attack.mitre.org/software/S0554) has checked for the LogMein event log in an attempt to encrypt files in remote machines.(Citation: ... |
References
- CrowdStrike Intelligence. (2016). 2015 Global Threat Report. Retrieved April 11, 2018.
- CrySyS Lab. (2013, March 20). TeamSpy – Obshie manevri. Ispolzovat’ tolko s razreshenija S-a. Retrieved April 11, 2018.
- Google. (n.d.). Retrieved March 14, 2024.
- Huntress. (n.d.). Retrieved March 14, 2024.
- Wueest, C., Anand, H. (2017, July). Living off the land and fileless attack techniques. Retrieved April 10, 2018.
Frequently Asked Questions
What is T1219 (Remote Access Tools)?
T1219 is a MITRE ATT&CK technique named 'Remote Access Tools'. It belongs to the Command and Control tactic(s). An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a g...
How can T1219 be detected?
Detection of T1219 (Remote Access Tools) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1219?
There are 5 documented mitigations for T1219. Key mitigations include: Execution Prevention, Filter Network Traffic, Limit Hardware Installation, Network Intrusion Prevention, Disable or Remove Feature or Program.
Which threat groups use T1219?
Known threat groups using T1219 include: TeamTNT, OilRig, FIN7, GOLD SOUTHFIELD, INC Ransom, Medusa Group, DarkVishnya, Sandworm Team.