EXPLORE

← Back to Explore

T1219

Remote Access Tools

An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line int...

LinuxmacOSWindows

33

Detections

3

Sources

13

Threat Actors

BY SOURCE

15elastic12splunk_escu6sigma

PROCEDURES (24)

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Tunnel2 detections

Auto-extracted: 2 detections for tunnel

Dns2 detections

Auto-extracted: 2 detections for dns

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Service Monitoring2 detections

Auto-extracted: 2 detections for service monitoring

Download2 detections

Auto-extracted: 2 detections for download

C21 detections

Auto-extracted: 1 detections for c2

Lateral1 detections

Auto-extracted: 1 detections for lateral

Registry1 detections

Auto-extracted: 1 detections for registry

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Service1 detections

Auto-extracted: 1 detections for service

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Powershell1 detections

Auto-extracted: 1 detections for powershell

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Registry1 detections

Auto-extracted: 1 detections for registry

Lateral1 detections

Auto-extracted: 1 detections for lateral

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Persist1 detections

Auto-extracted: 1 detections for persist

C21 detections

Auto-extracted: 1 detections for c2

THREAT ACTORS (13)

Akira BlackByte Carbanak Cobalt Group DarkVishnya FIN7 GOLD SOUTHFIELD INC Ransom Medusa Group MuddyWater OilRig Sandworm Team TeamTNT

DETECTIONS (33)

Attempt to Establish VScode Remote Tunnel

Cisco Secure Firewall - Communication Over Suspicious Ports

Cisco Secure Firewall - Remote Access Software Usage Traffic

Detect Remote Access Software Usage DNS

Detect Remote Access Software Usage File

Detect Remote Access Software Usage FileInfo

Detect Remote Access Software Usage Process

Detect Remote Access Software Usage Registry

Detect Remote Access Software Usage Traffic

Detect Remote Access Software Usage URL

First Time Seen DNS Query to RMM Domain

First Time Seen Remote Monitoring and Management Tool

HTTP RMM User Agent

Multiple Remote Management Tool Vendors on Same Host

NetSupport Manager Execution from an Unusual Path

Newly Observed ScreenConnect Host Server

OpenEDR Spawning Command Shell

Potential REMCOS Trojan Execution

Potential Traffic Tunneling using QEMU

Potentially Suspicious File Creation by OpenEDR's ITSMService

Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server

Remote File Copy via TeamViewer

Remote GitHub Actions Runner Registration

Remote Management Access Launch After MSI Install

Renamed Visual Studio Code Tunnel Execution

Suspicious ScreenConnect Client Child Process

Suspicious Shell Execution via Velociraptor

Suspicious Velociraptor Child Process

Visual Studio Code Tunnel Execution

VNC (Virtual Network Computing) from the Internet

VNC (Virtual Network Computing) to the Internet

Windows Remote Access Software BRC4 Loaded Dll

Windows Remote Access Software RMS Registry