An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line interface) allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management.[1][2][3] Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.
Remote access tools may be installed and used post-compromise as an alternate communications channel for redundant access or to establish an interactive remote desktop session with the target system. It may also be used as a malware component to establish a reverse connection or back-connect to a service or adversary-controlled system.
Installation of many remote access tools may also include persistence (e.g., the software's installation routine creates a Windows Service). Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).[4][5]
ID | Name | Description |
---|---|---|
G1024 | Akira |
Akira uses legitimate utilities such as AnyDesk and PuTTy for maintaining remote access to victim environments.[6][7] |
G1043 | BlackByte |
BlackByte has used tools such as AnyDesk in victim environments.[8][9] |
C0027 | C0027 |
During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.[10] |
S0030 | Carbanak | |
G0008 | Carbanak |
Carbanak used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems.[12] |
G0080 | Cobalt Group |
Cobalt Group used the Ammyy Admin tool as well as TeamViewer for remote access, including to preserve remote access if a Cobalt Strike module was lost.[13][14][15] |
G0105 | DarkVishnya |
DarkVishnya used DameWare Mini Remote Control for lateral movement.[16] |
S0384 | Dridex | |
S0554 | Egregor |
Egregor has checked for the LogMein event log in an attempt to encrypt files in remote machines.[18] |
G0046 | FIN7 |
FIN7 has utilized the remote management tool Atera to download malware to a compromised system.[19] |
G0115 | GOLD SOUTHFIELD |
GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy REvil.[20] |
S0601 | Hildegard |
Hildegard has established tmate sessions for C2 communications.[21] |
G1032 | INC Ransom |
INC Ransom has used AnyDesk and PuTTY on compromised systems.[22][23][24][25] |
G0069 | MuddyWater |
MuddyWater has used legitimate applications ScreenConnect, AteraAgent and SimpleHelp to manage systems remotely and move laterally.[26][27][28][29] |
C0002 | Night Dragon |
During Night Dragon, threat actors used several remote administration tools as persistent infiltration channels.[30] |
G0049 | OilRig |
OilRig has incorporated remote monitoring and management (RMM) tools into their operations including ngrok.[31] |
S0148 | RTM |
RTM has the capability to download a VNC module from command and control (C2).[32] |
G0034 | Sandworm Team |
Sandworm Team has used remote administration tools or remote industrial control system client software for execution and to maliciously release electricity breakers.[33][34] |
G1015 | Scattered Spider |
During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.[10] In addition to directing victims to run remote software, Scattered Spider members themselves also deploy RMM software including AnyDesk, LogMeIn, and ConnectWise Control to establish persistence on the compromised network.[35][36] |
G0139 | TeamTNT |
TeamTNT has established tmate sessions for C2 communications.[21][37] |
S0266 | TrickBot |
TrickBot uses vncDll module to remote control the victim machine.[38][39] |
ID | Mitigation | Description |
---|---|---|
M1042 | Disable or Remove Feature or Program |
Consider disabling unnecessary remote connection functionality, including both unapproved software installations and specific features built into supported applications. |
M1038 | Execution Prevention |
Use application control to mitigate installation and use of unapproved software that can be used for remote access. |
M1037 | Filter Network Traffic |
Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access software. |
M1034 | Limit Hardware Installation |
Block the use of IP-based KVM devices within the network if they are not required. |
M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0016 | Drive | Drive Creation |
Monitor for newly constructed drives or other related events associated with computer hardware and other accessories (especially new or unknown) being connected to systems. Endpoint sensors may be able to detect the addition of hardware via USB and other external device communication ports. |
DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections that are sent or received by untrusted hosts. |
Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
||
Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
||
DS0009 | Process | Process Creation |
Monitor for applications and processes related to remote admin software. Correlate activity with other suspicious behavior that may reduce false positives if this type of software is used by legitimate users and administrators. Domain Fronting may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote software to compromised systems. It may be possible to detect or prevent the installation of this type of software with host-based solutions. |