1. Home
  2. Techniques
  3. Enterprise
  4. Remote Access Tools
  5. Remote Desktop Software

Remote Access Tools: Remote Desktop Software

ID Name
T1219.001 IDE Tunneling
T1219.002 Remote Desktop Software
T1219.003 Remote Access Hardware

An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as VNC, Team Viewer, AnyDesk, ScreenConnect, LogMein, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.[1][2][3]

Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome’s Remote Desktop.[4][5]

ID: T1219.002
Sub-technique of:  T1219
Tactic: Command and Control
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 24 March 2025
Last Modified: 16 April 2025
Version Permalink

Procedure Examples

ID Name Description
C0015 C0015

During C0015, the threat actors installed the AnyDesk remote desktop application onto the compromised network.[6]
C0018 C0018

During C0018, the threat actors used AnyDesk to transfer tools between systems.[7][8]
C0027 C0027

During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.[9]
G1052 Contagious Interview

Contagious Interview has downloaded remote management and monitoring software such as "AnyDesk" for post compromise activities.[10][11][12][13][14]
G0120 Evilnum

EVILNUM has used the malware variant, TerraTV, to run a legitimate TeamViewer application to connect to compromised machines.[15]
G0094 Kimsuky

Kimsuky has used a modified TeamViewer client as a command and control channel.[16][17]
G0129 Mustang Panda

Mustang Panda has installed TeamViewer on targeted systems.[18]
G0048 RTM

RTM has used a modified version of TeamViewer and Remote Utilities for remote access.[19]
G1015 Scattered Spider

In addition to directing victims to run remote software, Scattered Spider members themselves also deploy RMM software including TeamViewer, AnyDesk, LogMeIn, ngrok, and ConnectWise to establish persistence on the compromised network.[20][21][22][23][24]
G1053 Storm-0501

Storm-0501 has used legitimate remote monitoring and management (RMM) tools including AnyDesk, NinjaOne, and Level.io.[25]
G1046 Storm-1811

Storm-1811 has abused multiple types of legitimate remote access software and tools, such as ScreenConnect, NetSupport Manager, and AnyDesk.[26][27]
G0076 Thrip

Thrip used a cloud-based remote access software called LogMeIn for their attacks.[28]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Consider disabling unnecessary remote connection functionality, including both unapproved software installations and specific features built into supported applications.
M1038 Execution Prevention

Use application control to mitigate installation and use of unapproved software that can be used for remote access.
M1037 Filter Network Traffic

Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access software.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0259 Remote Desktop Software Execution and Beaconing Detection AN0714

Adversary installation or use of RMM software (e.g., TeamViewer, AnyDesk, ScreenConnect) followed by outbound beaconing or remote session establishment
AN0715

Execution of known or custom VNC/remote desktop daemons or tunneling agents that initiate external communication after launch
AN0716

Initiation of remote desktop sessions via AnyDesk, TeamViewer, or Chrome Remote Desktop accompanied by unexpected user logins or system modifications

References

  1. Wueest, C., Anand, H. (2017, July). Living off the land and fileless attack techniques. Retrieved April 10, 2018.
  2. CrowdStrike Intelligence. (2016). 2015 Global Threat Report. Retrieved April 11, 2018.
  3. CrySyS Lab. (2013, March 20). TeamSpy – Obshie manevri. Ispolzovat’ tolko s razreshenija S-a. Retrieved April 11, 2018.
  4. Google. (n.d.). Retrieved March 14, 2024.
  5. Huntress. (n.d.). Retrieved March 14, 2024.
  6. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  7. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
  8. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
  9. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  10. eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025.
  11. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
  12. Ryan Sherstobitoff. (2024, October 29). Inside a North Korean Phishing Operation Targeting DevOps Employees. Retrieved October 20, 2025.
  13. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025.
  14. Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025.
  1. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  2. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  3. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  4. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  5. Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020.
  6. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  7. Trellix et. al.. (2023, August 17). Scattered Spider: The Modus Operandi. Retrieved March 18, 2024.
  8. Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.
  9. Counter Adversary Operations. (2025, July 2). CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries. Retrieved October 13, 2025.
  10. Check Point Team. (2025, July 7). Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation. Retrieved October 13, 2025.
  11. Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025.
  12. Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
  13. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
  14. Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018.