Which SIEM platforms have a T1219 detection rule?

df00tech provides T1219 (Remote Access Tools) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1219 detection?

The T1219 detection is rated medium severity with high confidence.

What are common false positives for T1219?

Common false positives for T1219 include: IT helpdesk staff using approved RMM tools (TeamViewer, ScreenConnect) for legitimate remote support sessions during business hours; Managed Service Providers (MSPs) running Atera, NinjaOne, or ConnectWise agents as part of contracted IT management services; Software developers using VNC or RustDesk for legitimate remote access to lab environments or build servers.

T1219

Remote Access Tools

Q: What data sources are required to detect Remote Access Tools (T1219)?

Detecting Remote Access Tools requires the following data sources: Process: Process Creation, Network Traffic: Network Connection Creation, Microsoft Defender for Endpoint.

Command and Control Last updated: April 19, 2026

An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software and remote management software allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access. Remote access tools may be installed and used post-compromise as an alternate communications channel for redundant access or to establish an interactive remote desktop session with the target system.

What is T1219 Remote Access Tools?

Remote Access Tools (T1219) maps to the Command and Control tactic — the adversary is trying to communicate with compromised systems to control them in MITRE ATT&CK.

This page provides production-ready detection logic for Remote Access Tools, covering the data sources and telemetry it touches: Process: Process Creation, Network Traffic: Network Connection Creation, Microsoft Defender for Endpoint. The queries below are rated medium severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Command and Control
Technique: T1219 Remote Access Tools
Canonical reference: https://attack.mitre.org/techniques/T1219/

Microsoft Sentinel / Defender

kusto

let RATProcessNames = dynamic([
  "teamviewer.exe", "teamviewer_service.exe",
  "anydesk.exe", "anydesk_service.exe",
  "screenconnect.exe", "screenconnectclient.exe", "connectwisecontrol.client.exe",
  "logmein.exe", "lmi_rescue.exe", "logmeinrescue.exe",
  "ammyyadmin.exe", "aa_v3.exe",
  "supremo.exe", "supremoservice.exe",
  "rustdesk.exe", "splashtop.exe", "splashtopremote.exe",
  "ateraagent.exe", "ninjaone.exe", "ninjaremote.exe",
  "simplehelp.exe", "dwrcs.exe", "dwrcst.exe",
  "tmate", "vnc.exe", "tvnserver.exe", "vncviewer.exe",
  "uvnc_service.exe", "winvnc.exe",
  "remotedesktopmanager.exe", "mstsc.exe",
  "chrome_remote_desktop.exe", "remote_assistance_host.exe"
]);
let RATNetworkDomains = dynamic([
  "teamviewer.com", "anydesk.com", "screenconnect.com", "connectwise.com",
  "logmein.com", "logmeinrescue.com", "ammyy.com",
  "supremo.com", "rustdesk.com", "splashtop.com",
  "atera.com", "ninjarmm.com", "simplehelp.com"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (RATProcessNames)
| extend IsService = InitiatingProcessFileName in~ ("services.exe", "svchost.exe")
| extend IsUserLaunched = InitiatingProcessFileName in~ ("explorer.exe", "cmd.exe", "powershell.exe")
| extend RATCategory = case(
    FileName has_any ("teamviewer", "anydesk", "screenconnect", "connectwise"), "Commercial RMM",
    FileName has_any ("vnc", "tvnserver", "winvnc", "uvnc"), "VNC",
    FileName has_any ("logmein", "lmi_rescue"), "LogMeIn",
    FileName has_any ("ammyy", "aa_v3"), "AmmyyAdmin",
    FileName has_any ("rustdesk", "splashtop", "supremo"), "Other RMM",
    FileName has_any ("atera", "ninja", "simplehelp", "dwrcs"), "MSP Tool",
    "Unknown")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         RATCategory, IsService, IsUserLaunched
| sort by Timestamp desc

Detects execution of known remote access tool (RAT/RMM) processes using Microsoft Defender for Endpoint DeviceProcessEvents. Covers major commercial tools (TeamViewer, AnyDesk, ScreenConnect/ConnectWise, LogMeIn, AmmyyAdmin, Splashtop, RustDesk, Supremo), MSP management platforms (Atera, NinjaOne, SimpleHelp, DameWare), and VNC variants. Categorizes each tool type and identifies whether it was launched as a service or interactively by a user.

medium severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT helpdesk staff using approved RMM tools (TeamViewer, ScreenConnect) for legitimate remote support sessions during business hours
Managed Service Providers (MSPs) running Atera, NinjaOne, or ConnectWise agents as part of contracted IT management services
Software developers using VNC or RustDesk for legitimate remote access to lab environments or build servers
System administrators using DameWare Mini Remote Control for server management across data centers

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\teamviewer.exe" OR Image="*\\teamviewer_service.exe"
   OR Image="*\\anydesk.exe" OR Image="*\\anydesk_service.exe"
   OR Image="*\\screenconnect*.exe" OR Image="*\\connectwisecontrol*.exe"
   OR Image="*\\logmein.exe" OR Image="*\\lmi_rescue.exe"
   OR Image="*\\ammyyadmin.exe" OR Image="*\\aa_v3.exe"
   OR Image="*\\supremo.exe" OR Image="*\\supremoservice.exe"
   OR Image="*\\rustdesk.exe" OR Image="*\\splashtop*.exe"
   OR Image="*\\atera*.exe" OR Image="*\\ninja*.exe"
   OR Image="*\\simplehelp*.exe" OR Image="*\\dwrcs.exe" OR Image="*\\dwrcst.exe"
   OR Image="*\\vnc*.exe" OR Image="*\\tvnserver.exe" OR Image="*\\winvnc.exe"
   OR Image="*\\uvnc_service.exe" OR Image="*\\tmate")
| eval RATCategory=case(
    match(Image, "(?i)(teamviewer|anydesk|screenconnect|connectwise)"), "Commercial RMM",
    match(Image, "(?i)(vnc|tvnserver|winvnc|uvnc)"), "VNC",
    match(Image, "(?i)(logmein|lmi_rescue)"), "LogMeIn",
    match(Image, "(?i)(ammyy|aa_v3)"), "AmmyyAdmin",
    match(Image, "(?i)(rustdesk|splashtop|supremo)"), "Other RMM",
    match(Image, "(?i)(atera|ninja|simplehelp|dwrcs)"), "MSP Tool",
    1=1, "Unknown")
| eval IsService=if(match(ParentImage, "(?i)(services\.exe|svchost\.exe)"), "Yes", "No")
| eval IsUserLaunched=if(match(ParentImage, "(?i)(explorer\.exe|cmd\.exe|powershell\.exe)"), "Yes", "No")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, RATCategory, IsService, IsUserLaunched
| sort - _time

Detects execution of known remote access tools via Sysmon Process Creation (Event ID 1). Covers TeamViewer, AnyDesk, ScreenConnect/ConnectWise, LogMeIn, AmmyyAdmin, VNC variants, RustDesk, Splashtop, Supremo, Atera, NinjaOne, SimpleHelp, and DameWare. Categorizes tool type and distinguishes between service-launched and user-launched instances to aid triage prioritization.

medium severity high confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT helpdesk staff using approved RMM tools for legitimate remote support sessions during business hours
Managed Service Providers running authorized RMM agents as part of contracted IT management
Software developers using VNC for remote access to development or lab environments
System administrators using DameWare for routine server management tasks

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name",
  "Command Line",
  "Parent Process Name",
  CATEGORYNAME(category) AS event_category,
  CASE
    WHEN LOWER("Process Name") MATCHES '.*?(teamviewer|anydesk|screenconnect|connectwise).*?' THEN 'Commercial RMM'
    WHEN LOWER("Process Name") MATCHES '.*?(vnc|tvnserver|winvnc|uvnc).*?' THEN 'VNC'
    WHEN LOWER("Process Name") MATCHES '.*?(logmein|lmi_rescue).*?' THEN 'LogMeIn'
    WHEN LOWER("Process Name") MATCHES '.*?(ammyy|aa_v3).*?' THEN 'AmmyyAdmin'
    WHEN LOWER("Process Name") MATCHES '.*?(rustdesk|splashtop|supremo).*?' THEN 'Other RMM'
    WHEN LOWER("Process Name") MATCHES '.*?(atera|ninja|simplehelp|dwrcs).*?' THEN 'MSP Tool'
    ELSE 'Unknown'
  END AS rat_category,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '.*?(services\.exe|svchost\.exe).*?' THEN 'Yes'
    ELSE 'No'
  END AS is_service_launched,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '.*?(explorer\.exe|cmd\.exe|powershell\.exe).*?' THEN 'Yes'
    ELSE 'No'
  END AS is_user_launched
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 101, 143)
  AND QIDNAME(qid) ILIKE '%process%'
  AND (
    LOWER("Process Name") MATCHES '.*?teamviewer.*?'
    OR LOWER("Process Name") MATCHES '.*?anydesk.*?'
    OR LOWER("Process Name") MATCHES '.*?screenconnect.*?'
    OR LOWER("Process Name") MATCHES '.*?connectwisecontrol.*?'
    OR LOWER("Process Name") MATCHES '.*?logmein.*?'
    OR LOWER("Process Name") MATCHES '.*?lmi_rescue.*?'
    OR LOWER("Process Name") MATCHES '.*?ammyyadmin.*?'
    OR LOWER("Process Name") MATCHES '.*?aa_v3\.exe.*?'
    OR LOWER("Process Name") MATCHES '.*?supremo.*?'
    OR LOWER("Process Name") MATCHES '.*?rustdesk.*?'
    OR LOWER("Process Name") MATCHES '.*?splashtop.*?'
    OR LOWER("Process Name") MATCHES '.*?ateraagent.*?'
    OR LOWER("Process Name") MATCHES '.*?ninjaone.*?'
    OR LOWER("Process Name") MATCHES '.*?ninjaremote.*?'
    OR LOWER("Process Name") MATCHES '.*?simplehelp.*?'
    OR LOWER("Process Name") MATCHES '.*?dwrcs.*?'
    OR LOWER("Process Name") MATCHES '.*?dwrcst.*?'
    OR LOWER("Process Name") MATCHES '.*?tmate.*?'
    OR LOWER("Process Name") MATCHES '.*?tvnserver.*?'
    OR LOWER("Process Name") MATCHES '.*?winvnc.*?'
    OR LOWER("Process Name") MATCHES '.*?uvnc_service.*?'
    OR LOWER("Process Name") IN ('vnc.exe', 'vncviewer.exe')
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LAST 24 HOURS

QRadar AQL query detecting process creation events for known Remote Access Tools across Windows endpoints using Sysmon or Windows Security event sources. Normalizes results with RATCategory classification and flags whether the process was service- or user-initiated, enabling triage differentiation between managed RMM deployment and adversary-initiated remote access.

medium severity medium confidence

Data Sources

Microsoft Windows Security Event Log (via QRadar DSM) Sysmon event log forwarded to QRadar Carbon Black or CrowdStrike DSM process events

Required Tables

events

False Positives

Sanctioned MSP agents (Atera, NinjaRMM, ScreenConnect) deployed to managed endpoints as part of a formal IT contract
Internal IT staff using TeamViewer or AnyDesk for routine remote support tickets
Developer workstations running tmate for collaborative terminal sharing during code review

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*process*
| where EventID = "1" OR EventCode = "1"
| parse field=Image "*\\*" as image_dir, image_file nodrop
| where image_file matches /(?i)(teamviewer|teamviewer_service|anydesk|anydesk_service|screenconnect|connectwisecontrol|logmein|lmi_rescue|logmeinrescue|ammyyadmin|aa_v3|supremo|supremoservice|rustdesk|splashtop|ateraagent|ninjaone|ninjaremote|simplehelp|dwrcs|dwrcst|tmate|tvnserver|vncviewer|uvnc_service|winvnc|chrome_remote_desktop|remote_assistance_host)\.exe$/
| eval rat_category = if(image_file matches /(?i)(teamviewer|anydesk|screenconnect|connectwise)/, "Commercial RMM",
    if(image_file matches /(?i)(vnc|tvnserver|winvnc|uvnc)/, "VNC",
    if(image_file matches /(?i)(logmein|lmi_rescue)/, "LogMeIn",
    if(image_file matches /(?i)(ammyy|aa_v3)/, "AmmyyAdmin",
    if(image_file matches /(?i)(rustdesk|splashtop|supremo)/, "Other RMM",
    if(image_file matches /(?i)(atera|ninja|simplehelp|dwrcs)/, "MSP Tool",
    "Unknown"))))))
| eval is_service_launched = if(ParentImage matches /(?i)(services\.exe|svchost\.exe)/, "Yes", "No")
| eval is_user_launched = if(ParentImage matches /(?i)(explorer\.exe|cmd\.exe|powershell\.exe)/, "Yes", "No")
| count by _time, Computer, User, image_file, CommandLine, ParentImage, rat_category, is_service_launched, is_user_launched
| sort by _time desc

Sumo Logic CSE query detecting Remote Access Tool (RAT) and RMM software execution on Windows endpoints via Sysmon Event ID 1 (Process Create). Parses process image paths, classifies tool categories, and annotates whether the launch originated from a service or an interactive user session to assist analyst triage under MITRE ATT&CK T1219.

medium severity high confidence

Data Sources

Sysmon logs forwarded to Sumo Logic via installed collector Windows endpoint agent with process telemetry

Required Tables

Windows Sysmon Event ID 1 (Process Create)

False Positives

Corporate endpoints where RMM agents like NinjaRMM or Atera are deployed under a formal managed services agreement
Help desk technicians initiating ad hoc TeamViewer or AnyDesk sessions to assist end users
Developers or QA engineers using RustDesk or tmate for cross-team terminal or desktop sharing

Google Chronicle / SecOps

yaral

rule t1219_remote_access_tools {
  meta:
    author = "df00tech"
    description = "Detects execution of known Remote Access Tools and RMM software (MITRE ATT&CK T1219). Identifies commercial RMM tools, VNC variants, MSP management agents, and open-source remote access utilities launched on Windows endpoints."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1219"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path != ""
    (
      re.regex($e.target.process.file.full_path, `(?i)(teamviewer|teamviewer_service|anydesk|anydesk_service|screenconnect|connectwisecontrol\.client|logmein|lmi_rescue|logmeinrescue|ammyyadmin|aa_v3|supremo|supremoservice|rustdesk|splashtop|ateraagent|ninjaone|ninjaremote|simplehelp|dwrcs|dwrcst|tmate|tvnserver|vncviewer|uvnc_service|winvnc|chrome_remote_desktop|remote_assistance_host)\.exe$`)
    )

  match:
    $e.principal.hostname over 15m

  outcome:
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_name = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path
    $rat_category = if(
      re.regex($e.target.process.file.full_path, `(?i)(teamviewer|anydesk|screenconnect|connectwise)`), "Commercial RMM",
      if(
        re.regex($e.target.process.file.full_path, `(?i)(vnc|tvnserver|winvnc|uvnc)`), "VNC",
        if(
          re.regex($e.target.process.file.full_path, `(?i)(logmein|lmi_rescue)`), "LogMeIn",
          if(
            re.regex($e.target.process.file.full_path, `(?i)(ammyy|aa_v3)`), "AmmyyAdmin",
            if(
              re.regex($e.target.process.file.full_path, `(?i)(rustdesk|splashtop|supremo)`), "Other RMM",
              if(
                re.regex($e.target.process.file.full_path, `(?i)(atera|ninja|simplehelp|dwrcs)`), "MSP Tool",
                "Unknown"
              )
            )
          )
        )
      )
    )
    $is_service_launched = if(
      re.regex($e.principal.process.file.full_path, `(?i)(services\.exe|svchost\.exe)`), "Yes", "No"
    )
    $is_user_launched = if(
      re.regex($e.principal.process.file.full_path, `(?i)(explorer\.exe|cmd\.exe|powershell\.exe)`), "Yes", "No"
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting Remote Access Tool process launches on Windows endpoints. Monitors PROCESS_LAUNCH UDM events and matches against a comprehensive list of known RMM and remote access binary names. Enriches detections with tool category classification and launch context (service vs. interactive user), supporting analyst triage of MITRE ATT&CK T1219.

medium severity high confidence

Data Sources

Chronicle UDM PROCESS_LAUNCH events from Windows endpoint telemetry Sysmon or EDR forwarded to Chronicle via ingestion pipeline

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Enterprise environments where ScreenConnect or Atera is centrally deployed and whitelisted for IT operations
End users with personal copies of AnyDesk or TeamViewer installed for home-to-office remote access
Security red team exercises using RustDesk or SimpleHelp to simulate adversary remote access

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(teamviewer|teamviewer_service|anydesk|anydesk_service|screenconnect|connectwisecontrol\.client|logmein|lmi_rescue|logmeinrescue|ammyyadmin|aa_v3|supremo|supremoservice|rustdesk|splashtop|ateraagent|ninjaone|ninjaremote|simplehelp|dwrcs|dwrcst|tmate|tvnserver|vncviewer|uvnc_service|winvnc|chrome_remote_desktop|remote_assistance_host)\.exe$/i
| eval rat_category = case(
    ImageFileName = /(?i)(teamviewer|anydesk|screenconnect|connectwise)/, "Commercial RMM",
    ImageFileName = /(?i)(vnc|tvnserver|winvnc|uvnc)/, "VNC",
    ImageFileName = /(?i)(logmein|lmi_rescue)/, "LogMeIn",
    ImageFileName = /(?i)(ammyy|aa_v3)/, "AmmyyAdmin",
    ImageFileName = /(?i)(rustdesk|splashtop|supremo)/, "Other RMM",
    ImageFileName = /(?i)(atera|ninja|simplehelp|dwrcs)/, "MSP Tool",
    *,  "Unknown"
  )
| eval is_service_launched = if(ParentBaseFileName = /(?i)(services\.exe|svchost\.exe)/, "Yes", "No")
| eval is_user_launched = if(ParentBaseFileName = /(?i)(explorer\.exe|cmd\.exe|powershell\.exe)/, "Yes", "No")
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, rat_category, is_service_launched, is_user_launched])
| sort(timestamp, order=desc)

CrowdStrike LogScale (Falcon) query detecting Remote Access Tool execution using ProcessRollup2 events. Matches known RMM and remote access binaries by image filename using regex, enriches with tool category, and annotates parent process context to distinguish managed service agent launches from adversary-initiated interactive remote sessions under MITRE ATT&CK T1219.

medium severity high confidence

Data Sources

CrowdStrike Falcon sensor ProcessRollup2 events Falcon Data Replicator (FDR) process telemetry

Required Tables

ProcessRollup2

False Positives

CrowdStrike-managed endpoints in organizations with contracted MSP support running NinjaRMM, Atera, or ScreenConnect as approved tools
IT administrators using AnyDesk or TeamViewer to remotely support endpoints outside business hours
Vendor-provided software bundles that include embedded RMM agents for hardware or software warranty support

Sigma rule & cross-platform mapping

The detection logic for Remote Access Tools (T1219) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1219 Sigma rules on detection.fyi

Platform-specific guides for T1219

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-19 Research depth: deep

References (7)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1AnyDesk Portable Execution from Temp Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\anydesk_test.exe. Sysmon Event ID 3: Network connection to AnyDesk relay servers (*.net.anydesk.com). Sysmon Event ID 11: File creation in %TEMP% for the AnyDesk binary. Sysmon Event ID 22: DNS query for anydesk.com domains.
Test 2TeamViewer Service Installation Detection
Expected signal: Sysmon Event ID 12: Registry key created at HKCU\SOFTWARE\TeamViewer_Test. Sysmon Event ID 13: Registry value set for Run key persistence. Security Event ID 4688: reg.exe process creation with command line containing TeamViewer.
Test 3VNC Server Execution Test
Expected signal: Sysmon Event ID 1: Process Create with Image containing tvnserver.exe or cmd.exe (mock). If TightVNC present: Sysmon Event ID 3 for VNC listening on port 5900. Security Event ID 4688 with command line arguments.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1219 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Remote Access Tools

What is T1219 Remote Access Tools?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1219

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Command and Control

Popular Detections

What is T1219 Remote Access Tools?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1219

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Command and Control

Popular Detections

Get new detections in your inbox