An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line interface) allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.
Remote access tools may be installed and used post-compromise as an alternate communications channel for redundant access or to establish an interactive remote desktop session with the target system. It may also be used as a malware component to establish a reverse connection or back-connect to a service or adversary-controlled system.
Installation of many remote access tools may also include persistence (e.g., the software's installation routine creates a Windows Service). Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-03 | Network Security | mitigates | T1219 | Remote Access Tools |
Comments
This control provides for monitoring, encrypting, and restricting communications between environments. Firewalls and proxies can be configured to limit outgoing traffic to sites and services used by remote access software. In addition, network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can also be used to limit traffic between systems and mitigate abuse of remote access tools.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1219 | Remote Access Tools |
Comments
This control provides for appropriately segmented and segregated cloud environments. Firewalls and proxies can be configured to limit outgoing traffic to sites and services used by remote access software. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can also be used to limit traffic between systems and mitigate abuse of remote access tools.
References
|
| UEM-10 | Software Firewall | mitigates | T1219 | Remote Access Tools |
Comments
This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active.
References
|
| I&S-09 | Network Defense | mitigates | T1219 | Remote Access Tools |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Firewalls and proxies can be configured to limit outgoing traffic to sites and services used by remote access software. In addition, network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can also be used to limit traffic between systems and mitigate abuse of remote access tools.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1219.003 | Remote Access Hardware | 1 |
| T1219.002 | Remote Desktop Software | 1 |