Identify and Monitor Remote Access Tools (CM0036)

In Playbook

Details

  • ID: CM0036
  • Version: 1.0
  • Created: 14 March 2025
  • Modified: 14 March 2025
  • Type: Examine
  • Status: Active

Intended Outcome

Disabling or restricting remote access tools blocks or restricts adversary persistence, lateral movement, and exfiltration using remote access tools.

Introduction

Some of the most common remote access tools include TeamViewer, AnyDesk, VNC Connect, Remote Desktop Protocol (RDP), Secure Shell (SSH), Virtual Private Networks (VPNs), and Windows Remote Desktop Services (RDS).Security professionals need to be aware of all remote access tools enabled within their environment. In addition, security operations should consider assessing visibility into remote access tool usage and affirm strong remote access application monitoring practices if tools are used on the organization's network.

Preparation

  • Determine what is necessary for day-to-day operations prior to disabling native remote access applications.

Risks

  • This countermeasure may have impacts that disrupt operations.
  • Limiting remote access tools can lead to reduced operational flexibility and convenience.

Guidance

  • Determine the presence of existing remote access tools (TeamViewer, AnyDesk, VNC Connect, Remote Desktop Protocol (RDP), SSH, VPNs, Windows Remote Desktop Services (RDS), etc.) and ensure remote access activity is being logged and monitored.
  • Identify open ports commonly used for remote access (20 (FTP), 21 (FTP), 22 (SSH), 23 (Telnet), 3389 (Microsoft Remote Display Protocol)). Note, the absence of these ports does not negate the presence of remote access tools/protocols.
  • Ensure the use of secure protocols such as Secure File Transfer Protocol (SFTP) and Secure Shell (SSH).
  • Alert on persistent/prolonged remote connections and implement idle session timeout.

References

  • ID: CM0036
  • Version: 1.0
  • Created: 13 March 2025
  • Modified: 13 March 2025
  • Type: Examine