T1219 · command-and-control · 16 actors · 5 correlated reports

Remote Access Software

An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment. Remote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access. Installation of many remote access software may also include persistence (e.g., the software's installation routine creates a Windows Service). Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used. Domain Fronting may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.

Observed actors

Kimsuky
G0094 Evilnum
G0120 MuddyWater
G0069 TeamTNT
G0139 FIN7
G0046 Sandworm Team
G0034 Mustang Panda
G0129 Scattered Spider
G1015 Akira
G1024 Carbanak
G0008 DarkVishnya
G0105 RTM
G0048 GOLD SOUTHFIELD
G0115 INC Ransom
G1032 Thrip
G0076 Cobalt Group
G0080

Correlated CTI and IR reports

Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
FBI / CISA / DC3 · direct source mapping MuddyWater G0069
MITRE ATT&CK · direct source mapping 1. Executive Summary
Israel Threat Actors CTI · explicit report mention Pioneer Kitten (Fox Kitten, Lemon Sandstorm, UNC757) – Actor Deep Research
Israel Threat Actors CTI · explicit report mention Worked Cases
Israel Threat Actors CTI · explicit report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research