T1219

Remote Access Tools

Command and Control

Description

An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line interface) allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.Remote access tools may be installed and used post-compromise as an alternate communications channel for redundant access or to establish an interactive remote desktop session with the target system. It may also be used as a malware component to establish a reverse connection or back-connect to a service or adversary-controlled system.Installation of many remote access tools may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)). Remote a…

Platforms

LinuxmacOSWindows

Mitigations

M1038 — Execution Prevention
M1037 — Filter Network Traffic
M1034 — Limit Hardware Installation
M1031 — Network Intrusion Prevention
M1042 — Disable or Remove Feature or Program

Look up any technique

Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.

Our coverage

Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →