title: Remote Access Tools (T1219)
id: df00tech-t1219
status: experimental
description: "An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software and remote management software allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access. Remote access tools may be installed and used post-compromise as an alternate communications channel for redundant access or to establish an interactive remote desktop session with the target system."
references:
  - https://attack.mitre.org/techniques/T1219/
  - https://df00tech.com/detections/T1219
author: df00tech
date: 2026/04/19
tags:
  - attack.t1219
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT helpdesk staff using approved RMM tools (TeamViewer, ScreenConnect) for legitimate remote support sessions during business hours"
  - "Managed Service Providers (MSPs) running Atera, NinjaOne, or ConnectWise agents as part of contracted IT management services"
  - Software developers using VNC or RustDesk for legitimate remote access to lab environments or build servers
  - System administrators using DameWare Mini Remote Control for server management across data centers
level: medium