T1219.002SubTechniquecommand-and-control

T1219.002Remote Desktop Software

Sub-technique of T1219

Platforms: Linux · macOS · Windows

ATT&CK version: v19.1

What it is

An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome’s Remote Desktop.(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)

ATT&CK tactics· 1

Command And Control

References

  1. https://attack.mitre.org/techniques/T1219/002
  2. https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf
  3. https://blog.crysys.hu/2013/03/teamspy/
  4. https://support.google.com/chrome/answer/1649523
  5. https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
  6. https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.