EXPLORE
Sign In
← Back to Explore
T1219

Remote Access Tools

An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line int...

LinuxmacOSWindows
40
Detections
4
Sources
13
Threat Actors

BY SOURCE

15elastic15splunk_escu6sigma4kql

PROCEDURES (27)

Remote3 detections

Auto-extracted: 3 detections for remote

Http2 detections

Auto-extracted: 2 detections for http

Download2 detections

Auto-extracted: 2 detections for download

Tunnel2 detections

Auto-extracted: 2 detections for tunnel

Remote2 detections

Auto-extracted: 2 detections for remote

Remote2 detections

Auto-extracted: 2 detections for remote

Download2 detections

Auto-extracted: 2 detections for download

Tunnel2 detections

Auto-extracted: 2 detections for tunnel

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Service1 detections

Auto-extracted: 1 detections for service

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Powershell1 detections

Auto-extracted: 1 detections for powershell

Persist1 detections

Auto-extracted: 1 detections for persist

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Service1 detections

Auto-extracted: 1 detections for service

Http1 detections

Auto-extracted: 1 detections for http

Registry1 detections

Auto-extracted: 1 detections for registry

Persist1 detections

Auto-extracted: 1 detections for persist

Powershell1 detections

Auto-extracted: 1 detections for powershell

Api1 detections

Auto-extracted: 1 detections for api

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Powershell1 detections

Auto-extracted: 1 detections for powershell

Powershell1 detections

Auto-extracted: 1 detections for powershell

THREAT ACTORS (13)

AkiraBlackByteCarbanakCobalt GroupDarkVishnyaFIN7GOLD SOUTHFIELDINC RansomMedusa GroupMuddyWaterOilRigSandworm TeamTeamTNT

DETECTIONS (40)

*Known RAT/RMM process patterns*
kql
Attempt to Establish VScode Remote Tunnel
elasticmedium
Cisco Secure Firewall - Communication Over Suspicious Ports
splunk_escu
Cisco Secure Firewall - Remote Access Software Usage Traffic
splunk_escu
Detect Remote Access Software Usage DNS
splunk_escu
Detect Remote Access Software Usage File
splunk_escu
Detect Remote Access Software Usage FileInfo
splunk_escu
Detect Remote Access Software Usage Process
splunk_escu
Detect Remote Access Software Usage Registry
splunk_escu
Detect Remote Access Software Usage Traffic
splunk_escu
Detect Remote Access Software Usage URL
splunk_escu
Detect when AnyDesk makes a remote connection
kql
First Time Seen DNS Query to RMM Domain
elasticmedium
First Time Seen Remote Monitoring and Management Tool
elasticmedium
HTTP RMM User Agent
splunk_escu
Multiple Remote Management Tool Vendors on Same Host
elasticmedium
NetSupport Manager Execution from an Unusual Path
elastichigh
Newly Observed ScreenConnect Host Server
elastichigh
OpenEDR Spawning Command Shell
sigmamedium
Potential REMCOS Trojan Execution
elastichigh
Potential Traffic Tunneling using QEMU
elasticmedium
Potentially Suspicious File Creation by OpenEDR's ITSMService
sigmamedium
Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
sigmamedium
Remote File Copy via TeamViewer
elasticmedium
Remote GitHub Actions Runner Registration
elasticmedium
Remote Management Access Launch After MSI Install
elasticmedium
Renamed Visual Studio Code Tunnel Execution
sigmahigh
RMM Tools with connections
kql
Suspicious ScreenConnect Client Child Process
elasticmedium
Suspicious Shell Execution via Velociraptor
elasticmedium
Suspicious Velociraptor Child Process
sigmahigh
TTP Detection Rule: NetSupport running from unexpected directory (FIN7)
kql
Visual Studio Code Tunnel Execution
sigmamedium
VNC (Virtual Network Computing) from the Internet
elastichigh
VNC (Virtual Network Computing) to the Internet
elasticmedium
Windows Level RMM PowerShell Script Installer
splunk_escu
Windows Level RMM Watchdog Task Created
splunk_escu
Windows Remote Access Software BRC4 Loaded Dll
splunk_escu
Windows Remote Access Software RMS Registry
splunk_escu
Windows RMM Tool Execution
splunk_escu