Skip to content

T1219.002 Remote Desktop Software

An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as VNC, Team Viewer, AnyDesk, ScreenConnect, LogMein, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.512

Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome’s Remote Desktop.34

Item Value
ID T1219.002
Sub-techniques T1219.001, T1219.002, T1219.003
Tactics TA0011
Platforms Linux, Windows, macOS
Version 1.0
Created 24 March 2025
Last Modified 16 April 2025

Procedure Examples

ID Name Description
C0015 C0015 During C0015, the threat actors installed the AnyDesk remote desktop application onto the compromised network.28
C0018 C0018 During C0018, the threat actors used AnyDesk to transfer tools between systems.2625
C0027 C0027 During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.27
G1052 Contagious Interview Contagious Interview has downloaded remote management and monitoring software such as “AnyDesk” for post compromise activities.7891011
G0120 Evilnum EVILNUM has used the malware variant, TerraTV, to run a legitimate TeamViewer application to connect to compromised machines.12
G0094 Kimsuky Kimsuky has used a modified TeamViewer client as a command and control channel.1716
G0129 Mustang Panda Mustang Panda has installed TeamViewer on targeted systems.15
G0048 RTM RTM has used a modified version of TeamViewer and Remote Utilities for remote access.19
G1015 Scattered Spider In addition to directing victims to run remote software, Scattered Spider members themselves also deploy RMM software including TeamViewer, AnyDesk, LogMeIn, ngrok, and ConnectWise to establish persistence on the compromised network.2224232021
G1053 Storm-0501 Storm-0501 has used legitimate remote monitoring and management (RMM) tools including AnyDesk, NinjaOne, and Level.io.6
G1046 Storm-1811 Storm-1811 has abused multiple types of legitimate remote access software and tools, such as ScreenConnect, NetSupport Manager, and AnyDesk.1314
G0076 Thrip Thrip used a cloud-based remote access software called LogMeIn for their attacks.18

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program Consider disabling unnecessary remote connection functionality, including both unapproved software installations and specific features built into supported applications.
M1038 Execution Prevention Use application control to mitigate installation and use of unapproved software that can be used for remote access.
M1037 Filter Network Traffic Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access software.

References

  1. CrowdStrike Intelligence. (2016). 2015 Global Threat Report. Retrieved April 11, 2018. 

  2. CrySyS Lab. (2013, March 20). TeamSpy – Obshie manevri. Ispolzovat’ tolko s razreshenija S-a. Retrieved April 11, 2018. 

  3. Google. (n.d.). Retrieved March 14, 2024. 

  4. Huntress. (n.d.). Retrieved March 14, 2024. 

  5. Wueest, C., Anand, H. (2017, July). Living off the land and fileless attack techniques. Retrieved April 10, 2018. 

  6. Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025. 

  7. eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025. 

  8. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  9. Ryan Sherstobitoff. (2024, October 29). Inside a North Korean Phishing Operation Targeting DevOps Employees. Retrieved October 20, 2025. 

  10. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025. 

  11. Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025. 

  12. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  13. Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025. 

  14. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025. 

  15. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  16. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  17. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. 

  18. Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018. 

  19. Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020. 

  20. Counter Adversary Operations. (2025, July 2). CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries. Retrieved October 13, 2025. 

  21. Check Point Team. (2025, July 7). Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation. Retrieved October 13, 2025. 

  22. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024. 

  23. Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025. 

  24. Trellix et. al.. (2023, August 17). Scattered Spider: The Modus Operandi. Retrieved March 18, 2024. 

  25. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. 

  26. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. 

  27. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023. 

  28. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.