T1219.002 Remote Desktop Software in MITRE ATT&CK Explained
T1219.002 Remote Desktop Software is a sub-technique of Remote Access Tools (T1219) in the MITRE ATT&CK framework, under the Command and Control tactic. It refers to the use of legitimate remote desktop and desktop support tools by adversaries to interactively control a compromised system after gaining access.
These tools allow attackers to establish a graphical interface with the compromised system, showing the screen and providing full control through keyboard and mouse input. This gives adversaries the same capabilities as a user physically present at the computer, enabling them to execute commands, manipulate data, steal information, or deploy further payloads while bypassing typical network-based defenses.
To read about other sub-techniques of the T1219 Remote Access Tools technique, you can visit the related hub blog.
Attackers use remote desktop software because it gives them live, interactive control over compromised systems while blending in with legitimate administrative activity. These tools provide a reliable command and control channel, often install persistent services that survive reboots, and are typically trusted and allowed in enterprise environments, making malicious use harder to detect.
Typical Usage in an Attack Chain
Examples of Tools Used
Some remote access features built into software (e.g., Zoom, Chrome Remote Desktop) can also be co-opted.
In one analysis done in June 2025 on Chaos Ransomware as a Service (RaaS) group [1], researchers saw that that the actor has installed RMM tools such as AnyDesk, ScreenConnect, OptiTune, Syncro RMM and Splashtop streamer on compromised machines to establish persistent connection to the victim network.
Likewise, a November 2025 CISA advisory on Akira ransomware highlights that, for command-and-control establishment [2], threat actors commonly rely on widely available remote access and tunneling tools such as AnyDesk, MobaXterm, RustDesk, and Cloudflare Tunnel.
Another example is from a December 2025 investigation into DeadLock ransomware activity. The researchers observed the threat actor deploying a fresh AnyDesk installation from within a compromised user account shortly before the encryption phase [3]. The timing suggests the installation was intended to secure persistent remote access to the targeted system.
|
C:\AnyDesk.exe --install C:\Program Files (x86)\AnyDesk --start-with-win --silent --update-disabled |
Although AnyDesk was already present elsewhere in the environment, this additional deployment stood out as anomalous. The actor executed a deliberate command sequence to install AnyDesk silently, register it for automatic startup, enable unattended access via a predefined password, and disable update functionality that could disrupt the remote session.
[1] A. Bennett, “Unmasking the new Chaos RaaS group attacks,” Cisco Talos Blog, Jul. 24, 2025. Available: https://blog.talosintelligence.com/new-chaos-ransomware/. [Accessed: Dec. 22, 2025]
[2] “Website.” Available: Link: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a
[3] J. Dunk, “New BYOVD loader behind DeadLock ransomware attack,” Cisco Talos Blog, Dec. 09, 2025. Available: https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/. [Accessed: Dec. 22, 2025]