During nearly every Incident Response engagement, it’s common to encounter at least one commercial, free, or built-in Remote Access software being (ab)used by adversaries. Attackers leverage these tools to move laterally across the network or to establish persistence, giving themselves multiple avenues back into the environment. Such software often helps them evade traditional security measures like firewalls, WAFs, or IPS.
Adversaries might deploy their own remote access utilities, or just as easily exploit legitimate tools already in place and used by IT administrators, making it challenging to distinguish between normal and malicious activity. Knowing where and how to look can help you track adversary movements and locate their footholds.
This reference article aims to consolidate information on the logging and forensic artifacts generated by these remote access tools, aggregating insights scattered across various blogs and reports, as well as findings from extensive internal testing, all in one place.
Remote Access Software, Technique T1219 - Enterprise | MITRE ATT&CK®
This is not an exhaustive list but highlights the most commonly observed tools in the wild. Ease of use is a significant factor in their abuse, adversaries typically avoid signing up for enterprise-grade trial products unless absolutely necessary.
Possible future additions: Atera, BeyondTrust (formerly Bomgar)
Feedback/Questions: Vikas Singh | LinkedIn