1. Home
  2. Techniques
  3. Enterprise
  4. Remote Access Tools
  5. Remote Desktop Software

Remote Access Tools: Remote Desktop Software

ID Name
T1219.001 IDE Tunneling
T1219.002 Remote Desktop Software
T1219.003 Remote Access Hardware

An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as VNC, Team Viewer, AnyDesk, ScreenConnect, LogMein, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.[1][2][3]

Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome’s Remote Desktop.[4][5]

ID: T1219.002
Sub-technique of:  T1219
Tactic: Command and Control
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 24 March 2025
Last Modified: 16 April 2025
Version Permalink

Procedure Examples

ID Name Description
C0015 C0015

During C0015, the threat actors installed the AnyDesk remote desktop application onto the compromised network.[6]
C0018 C0018

During C0018, the threat actors used AnyDesk to transfer tools between systems.[7][8]
G0120 Evilnum

EVILNUM has used the malware variant, TerraTV, to run a legitimate TeamViewer application to connect to compromised machines.[9]
G0094 Kimsuky

Kimsuky has used a modified TeamViewer client as a command and control channel.[10][11]
G0129 Mustang Panda

Mustang Panda has installed TeamViewer on targeted systems.[12]
G0048 RTM

RTM has used a modified version of TeamViewer and Remote Utilities for remote access.[13]
G1046 Storm-1811

Storm-1811 has abused multiple types of legitimate remote access software and tools, such as ScreenConnect, NetSupport Manager, and AnyDesk.[14][15]
G0076 Thrip

Thrip used a cloud-based remote access software called LogMeIn for their attacks.[16]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Consider disabling unnecessary remote connection functionality, including both unapproved software installations and specific features built into supported applications.
M1038 Execution Prevention

Use application control to mitigate installation and use of unapproved software that can be used for remote access.
M1037 Filter Network Traffic

Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access software.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for Outbound connections to known RMM service endpoints (e.g., .teamviewer.com, .anydesk.com)New connections from internal systems to unexpected IPs on:TCP 5938 (TeamViewer)TCP 7070–7071 (AnyDesk)TCP 5650 (Ammyy Admin)TCP/UDP 443, 80, or randomized ports

Analytic 1 - Detect network traffic for Remote Desktop software

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=3(DestinationHostname IN (".teamviewer.com", ".anydesk.com", ".logmein.com", ".screenconnect.com"))OR (DestinationPort IN (5938, 7070, 7071, 443) AND Image="*")| stats count by Image, DestinationIp, DestinationPort, CommandLine, host, _time| sort -_time
Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
DS0009 Process Process Creation

Monitor for applications and processes related to remote desktop software. Correlate activity with other suspicious behavior that may reduce false positives if this type of software is used by legitimate users and administrators. Domain Fronting may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote software to compromised systems. It may be possible to detect or prevent the installation of this type of software with host-based solutions.

Analytic 1 - Detect Remote Desktop Execution

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational(Image="\TeamViewer.exe" OR Image="\AnyDesk.exe" OR Image="\Ammyy_Admin.exe" OR Image="\connectwisecontrol.client.exe")| stats count by Image, ParentImage, CommandLine, user, host, _time| sort -_time

References

  1. Wueest, C., Anand, H. (2017, July). Living off the land and fileless attack techniques. Retrieved April 10, 2018.
  2. CrowdStrike Intelligence. (2016). 2015 Global Threat Report. Retrieved April 11, 2018.
  3. CrySyS Lab. (2013, March 20). TeamSpy – Obshie manevri. Ispolzovat’ tolko s razreshenija S-a. Retrieved April 11, 2018.
  4. Google. (n.d.). Retrieved March 14, 2024.
  5. Huntress. (n.d.). Retrieved March 14, 2024.
  6. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  7. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
  8. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
  1. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  2. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  3. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  4. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  5. Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020.
  6. Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
  7. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
  8. Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018.