T1219: Remote Access Software

An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as VNC, Team Viewer, AnyDesk, ScreenConnect, LogMein, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.

Remote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.

Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.

Installation of many remote access software may also include persistence (e.g., the software's installation routine creates a Windows Service). Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

remote_work: PT-CR-96: TeamViewer_Activity: Possible connection to the TeamViewer server or the use of TeamViewer on a host remote_work: PT-CR-1913: File_Copy_Via_RemoteAccess_Tool: A suspicious file was created using a remote access tool remote_work: PT-CR-2318: Remote_Administration_Tools_Usage: A remote administration utility was used remote_work: PT-CR-1839: VNC_Connection: VNC connection hacking_tools: PT-CR-1725: Cobalt_Strike_HiddenDesktop: Cobalt Strike HiddenDesktop module activity. This module is used to interact with a remote desktop without the user's knowledge.

Detection

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for applications and processes related to remote admin software. Correlate activity with other suspicious behavior that may reduce false positives if this type of software is used by legitimate users and administrators. Domain Fronting may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote software to compromised systems. It may be possible to detect or prevent the installation of this type of software with host-based solutions.

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

IDDS0029Data source and componentNetwork Traffic: Network Connection CreationDescription

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Mitigation

IDM1038NameExecution PreventionDescription

Use application control to mitigate installation and use of unapproved software that can be used for remote access.

IDM1037NameFilter Network TrafficDescription

Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access software.

IDM1042NameDisable or Remove Feature or ProgramDescription

Consider disabling unnecessary remote connection functionality, including both unapproved software installations and specific features built into supported applications.

IDM1031NameNetwork Intrusion PreventionDescription

Network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services.