MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Command and Control/ T1219

T1219Remote Access Tools

T1219 — Remote Access Tools is a MITRE ATT&CK technique in the Command and Control tactic. Clankerusecase tracks 30 detection use cases covering it and 70 threat-intel articles citing it.

Command and Control

View on the matrix → Filter Detection Library MITRE official spec ↗

30Use cases

70Articles

3Sub-techniques

1Tactic

Sub-techniques (3)

T1219.001 · IDE Tunneling T1219.003 · Remote Access Hardware T1219.002 · Remote Desktop Software

Use cases covering this technique (30)

RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Internal install · hunting DSΣP Detect Remote Access Software Usage File ESCU actions · hunting P Detect Remote Access Software Usage FileInfo ESCU actions · hunting P Detect Remote Access Software Usage Process ESCU actions · hunting P Detect Remote Access Software Usage Registry ESCU actions · hunting P Windows Level RMM PowerShell Script Installer ESCU actions · hunting P Windows Level RMM Watchdog Task Created ESCU actions · hunting P Windows Remote Access Software BRC4 Loaded Dll ESCU actions · hunting P Windows Remote Access Software RMS Registry ESCU actions · alerting P Windows RMM Tool Execution ESCU actions · hunting P Cisco Secure Firewall - Communication Over Suspicious Ports ESCU actions · hunting P Cisco Secure Firewall - Remote Access Software Usage Traffic ESCU actions · hunting P Detect Remote Access Software Usage DNS ESCU actions · hunting P Detect Remote Access Software Usage Traffic ESCU actions · hunting P HTTP RMM User Agent ESCU actions · hunting P Detect Remote Access Software Usage URL ESCU actions · hunting P Windows Remote Access Software Hunt ESCU actions · hunting P [LLM] GS-Netcat Relay C2 (gs.thc.org) + systemd Persistence Service Bespoke c2 · alerting DSΣPDDCS [LLM] MeshCentral agent disguised as Microsoft Azure binary calling azurenetfiles.net Bespoke c2 · alerting DSΣPDDCS [LLM] AGENTPSD-style Python reverse shell spawned by sshd on Linux / NAS Bespoke install · hunting DSΣPDDCS [LLM] Quick Assist launched followed by remote interactive session (UNC3753 vishing pretext) Bespoke delivery · hunting DSΣPDDCS [LLM] AnyDesk, Bomgar, SuperOps or Zoho Assist installer execution (UNC3753 RMM foothold) Bespoke install · hunting DSΣPDDCS [LLM] Reverse-shell /dev/tcp file descriptor from Yamcs java process tree Bespoke c2 · alerting DSΣPDDCS [LLM] OpenSSH reverse port-forward (-R) launched on a workstation - Cloud Atlas backup C2 Bespoke c2 · alerting DSΣPDDCS [LLM] OpenClaw Gateway WebSocket listener / loopback connection on TCP 18789 Bespoke c2 · hunting DSΣPDDCS [LLM] MuddyWater SimpleHelp RMM client spawning shell or recon LOLBin Bespoke install · alerting DSΣP [LLM] PromptSpy VNC C2 egress to 54.67.2.84 Bespoke c2 · hunting DSΣPDDCS [LLM] ScreenConnect client beaconing to ClawdBot attacker relay (meeting.bulletmailer.net:8041) Bespoke c2 · hunting DSΣPDDCS [LLM] Weaponised ScreenConnect install path with attacker instance GUID 083e4d30c7ea44f7 Bespoke install · alerting DSΣPDDCS [LLM] ScreenConnect MSI sideload from lmfao.su (Solidity Language post-exploit RAT install) Bespoke install · alerting DSΣPDDCS

Articles citing this technique (70)

crit Chinese hackers hijack auth flow, spy on isolated network for a decade art-07

crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered art-15

high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17

med Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection art-23

high Over 400 Arch Linux packages compromised to push rootkit, infostealer art-25

crit Rethinking MDR as Attackers and Defenders Embrace AI art-30

crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities art-37

high A tale of two eras art-40

high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets art-41

crit The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm art-44

crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48

crit OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack art-53

crit OceanLotus: From external espionage to domestic targeting art-54

high Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter art-78

crit Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now art-84

crit Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models art-87

high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90

crit LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE art-92

high When “Hi, This Is IT” Comes Through Microsoft Teams art-98

crit AI brands as bait: How threat actors are using the AI hype in social engineering art-102

crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107

crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign art-108

crit Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign art-139

crit Containers on fire: from container escapes to supply chain attacks art-158

crit Malicious npm packages abuse dependency confusion to profile developer environments art-161

crit Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection art-178

crit What’s in the container? Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and the KIRA AI assistant art-180

high Typosquatted npm packages used to steal cloud and CI/CD secrets art-183

crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface art-187

crit [GHSA / CRITICAL] CVE-2026-46621: Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection art-191

crit [GHSA / CRITICAL] CVE-2026-46562: Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override art-192

crit [GHSA / CRITICAL] CVE-2026-44632: Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExe art-202

crit Paved With Intent: ROADtools and Nation-State Tactics in the Cloud art-218

crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219

crit Webworm: New burrowing techniques art-240

crit [GHSA / CRITICAL] CVE-2026-46339: 9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes art-251

crit [GHSA / CRITICAL] CVE-2026-2587: GlassFish's gadget handler is vulnerable to RCE art-257

high The time of much patching is coming art-296

crit [GHSA / CRITICAL] CVE-2026-46442: FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape art-304

crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316

crit PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale art-322

crit Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution art-325

crit CISA KEV: CVE-2024-1708 — ConnectWise ScreenConnect Path Traversal Vulnerability art-350

high Securing Vibe Coding and AI Coding Agents: An End-to-End Approach with StepSecurity art-395

crit axios Compromised on npm - Malicious Versions Drop Remote Access Trojan art-401

crit Cline Supply Chain Attack Detected: cline@2.3.0 Silently Installs OpenClaw art-404

high As breakout time accelerates, prevention-first cybersecurity takes center stage art-408

high Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT art-420

crit litellm: Credential Stealer Hidden in PyPI Wheel art-423

high Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised art-430

med Cloud workload security: Mind the gaps art-442

crit How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM art-443

high CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran art-444

crit Cyber fallout from the Iran war: What to have on your radar art-474

crit Protecting education: How MDR can tip the balance in favor of schools art-491

high PromptSpy ushers in the era of Android threats using GenAI art-519

crit Naming and shaming: How ransomware groups tighten the screws on victims art-544

high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594

high ServiceNow's Virtual Agent Vulnerability Shows Why AI Security Needs Traditional AppSec Foundations art-624

crit LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan art-642

crit ESET APT Activity Report Q2 2025–Q3 2025 art-715

high Sharing is scaring: The WhatsApp scam you didn’t see coming art-716

high Ground zero: 5 things to do after discovering a cyberattack art-722

high How MDR can give MSPs the edge in a competitive market art-730

high Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack art-789

crit Lessons from AWS CodeBuild’s Memory-Dump Incident (CVE-2025-8217) art-823

high Cursor IDE Malware Extension Compromise in $500k Crypto Heist art-842

high Finding Software Flaws Early in the Development Process Provides Clear ROI art-871

crit CISA KEV: CVE-2025-3935 — ConnectWise ScreenConnect Improper Authentication Vulnerability art-887

med Understanding command injection vulnerabilities in Go art-1080