ATT&CK coverage › Technique
Remote Access Tools: Remote Desktop Software T1219.002
An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment. Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome’s Remote Desktop.
Events covered
8 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 37 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (17 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (214 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 37 rules
- Anydesk Temporary Artefact
- Atera Agent Installation
- DNS Query To AzureWebsites.NET By Non-Browser Process
- DNS Query To Remote Access Software Domain From Non-Browser App
- GoToAssist Temporary Installation Artefact
- HackTool - Inveigh Execution Artefacts
- HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
- Hijack Legit RDP Session to Move Laterally
- Installation of TeamViewer Desktop
- Mesh Agent Service Installation
- Mstsc.EXE Execution With Local RDP File
- Potential Amazon SSM Agent Hijacking
- Potential Remote Desktop Connection to Non-Domain Host
- QuickAssist Execution
- Remote Access Tool - AnyDesk Execution
- Remote Access Tool - Anydesk Execution From Suspicious Folder
- Remote Access Tool - AnyDesk Incoming Connection
- Remote Access Tool - AnyDesk Piped Password Via CLI
- Remote Access Tool - AnyDesk Silent Installation
- Remote Access Tool - GoToAssist Execution
- Remote Access Tool - LogMeIn Execution
- Remote Access Tool - MeshAgent Command Execution via MeshCentral
- Remote Access Tool - NetSupport Execution
- Remote Access Tool - Potential MeshAgent Execution - Windows
- Remote Access Tool - Renamed MeshAgent Execution - Windows
- Remote Access Tool - ScreenConnect Execution
- Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
- Remote Access Tool - Simple Help Execution
- Remote Access Tool - UltraViewer Execution
- ScreenConnect Temporary Installation Artefact
- Suspicious Binary Writes Via AnyDesk
- Suspicious Mstsc.EXE Execution With Local RDP File
- Suspicious TSCON Start as SYSTEM
- TacticalRMM Service Installation
- TeamViewer Domain Query By Non-TeamViewer Application
- TeamViewer Remote Session
- Use of UltraVNC Remote Access Software