| ID | B0022 |
| Objective(s) | Impact, Persistence |
| Related ATT&CK Techniques | None |
| Impact Type | Breach |
| Version | 2.2 |
| Created | 1 August 2019 |
| Last Modified | 30 April 2024 |
Malware may provide an attacker with potentially full access to a system via a remote network connection, which may also provide persistence.
A RAT (Remote Access Trojan) is an example of malware that provides a degree of remote access. If the malware provides an "execute" command, the attacker may choose to delete files or corrupt data, power-off the machine, or upload and execute other applications. The malware may also provide specific commands to the attacker (e.g., Delete File). Explicit commands provided by the malware can be captured with Methods associated with the Execution::Remote Commands (B0011) behavior; examples include Execution:Remote Commands:Execute and Execution:Remote Commands:Delete File.
Note that the Ingress Tool Transfer (T1105) technique defined under the Command and Control tactic is no longer specific to "legitimate desktop support and remote access software” as it was under a previous version of ATT&CK. However, Ingress Tool Transfer relates only to files copied; this MBC behavior is broader, allowing for remote access behaviors beyond file transfers (i.e., Impact:Remote Access and Command and Control: Ingress Tool Transfer are not equivalent).
| Name | ID | Description |
|---|---|---|
| Reverse Shell | B0022.001 | Malware may create a reverse shell. For example, malware can invoke cmd.exe and create three pipes (stdin, stdout, stderr) to forward data between cmd.exe and an adversary. |
| Name | Date | Method | Description |
|---|---|---|---|
| Poison Ivy | 2005 | -- | After the Poison Ivy server is running on the target machine, the attacker can use a Windows GUI client to control the target computer. [2] |
| Dark Comet | 2008 | -- | Dark Comet allows an attacker to control the system via a GUI. [3] |
| Hupigon | 2013 | -- | The malware acts as a backdoor. [4] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| create reverse shell on Linux | Remote Access::Reverse Shell (B0022.001) | -- |
| create reverse shell | Remote Access::Reverse Shell (B0022.001) | kernel32.PeekNamedPipe, kernel32.CreateProcess, kernel32.ReadFile, kernel32.WriteFile |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| persistence_rdp_registry | Remote Access (B0022) | -- |
| rat_spynet | Remote Access (B0022) | -- |
| parallax_mutexes | Remote Access (B0022) | -- |
| rat_pcclient | Remote Access (B0022) | -- |
| rat_fynloski_mutexes | Remote Access (B0022) | -- |
| rat_beebus_mutexes | Remote Access (B0022) | -- |
| xpertrat_files | Remote Access (B0022) | -- |
| xpertrat_mutexes | Remote Access (B0022) | -- |
| warzonerat_files | Remote Access (B0022) | -- |
| warzonerat_regkeys | Remote Access (B0022) | -- |
| evil_grab | Remote Access (B0022) | RegCreateKeyExA, RegSetValueExA, RegCreateKeyExW, RegSetValueExW |
| PlugX | Remote Access (B0022) | memcpy, RtlDecompressBuffer |
| ratsnif_mutexes | Remote Access (B0022) | -- |
| netwire_behavior | Remote Access (B0022) | RegSetValueExA |
| njrat_regkeys | Remote Access (B0022) | -- |
| rat_xtreme_mutexes | Remote Access (B0022) | -- |
| blackrat_apis | Remote Access (B0022) | CryptHashData, RtlDecompressBuffer, CreateProcessInternalW |
| blackrat_mutexes | Remote Access (B0022) | -- |
| blackrat_network_activity | Remote Access (B0022) | send |
| blackrat_registry_keys | Remote Access (B0022) | RegQueryValueExW, RegSetValueExW |
| uses_rdp_clip | Remote Access (B0022) | -- |
| uses_remote_desktop_session | Remote Access (B0022) | -- |
| rat_plugx_mutexes | Remote Access (B0022) | -- |
| obliquerat_files | Remote Access (B0022) | -- |
| obliquerat_mutexes | Remote Access (B0022) | -- |
| obliquerat_network_activity | Remote Access (B0022) | send |
| venomrat_mutexes | Remote Access (B0022) | -- |
| trochilusrat_apis | Remote Access (B0022) | OutputDebugStringW, NtCreateUserProcess, RegSetValueExW, CreateProcessInternalW |
| dcrat_behavior | Remote Access (B0022) | GetAddrInfo, GetAddrInfoW, CryptHashData |
| dcrat_files | Remote Access (B0022) | -- |
| dcrat_mutexes | Remote Access (B0022) | -- |
| karagany_system_event_objects | Remote Access (B0022) | NtCreateEventEx, NtCreateEvent |
| karagany_files | Remote Access (B0022) | -- |
| orcusrat_behavior | Remote Access (B0022) | RegOpenKeyExW |
| limerat_mutexes | Remote Access (B0022) | -- |
| limerat_regkeys | Remote Access (B0022) | -- |
| rat_luminosity | Remote Access (B0022) | CryptHashData, NtCreateMutant, NtCreateFile |
| rat_nanocore | Remote Access (B0022) | CryptHashData |
| static_rat_config | Remote Access (B0022) | -- |
| remcos_files | Remote Access (B0022) | -- |
| remcos_mutexes | Remote Access (B0022) | -- |
| remcos_regkeys | Remote Access (B0022) | -- |
[1] https://en.wikipedia.org/wiki/Remote_access_trojan
[2] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy
[3] https://en.wikipedia.org/wiki/DarkComet
[4] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON