title: Remote Desktop Software (T1219.002)
id: df00tech-t1219-002
status: experimental
description: "An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as VNC, TeamViewer, AnyDesk, ScreenConnect, LogMeIn, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment. Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome's Remote Desktop."
references:
  - https://attack.mitre.org/techniques/T1219/002/
  - https://df00tech.com/detections/T1219.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1219.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT helpdesk technicians using approved RMM tools (TeamViewer, ScreenConnect, LogMeIn) for employee support sessions with active support tickets"
  - "Managed Service Providers (MSPs) running authorized RMM agents (ConnectWise, Splashtop) as part of contracted endpoint management"
  - End users launching pre-installed remote desktop tools from standard paths for legitimate personal use (Chrome Remote Desktop)
  - "Software deployment systems (SCCM, PDQ Deploy) installing or updating approved RMM agents across the fleet"
level: medium