S0591: ConnectWise
ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.[1][2]
Analyst context for executives and security teams
ConnectWise is a legitimate Windows remote administration tool, which makes it operationally useful and security-relevant at the same time. ATT&CK notes that threat actors have used it to connect into victim environments and support lateral movement. For leaders, the issue is not that ConnectWise is inherently malicious; it is whether the organization can distinguish approved remote support activity from unauthorized or attacker-directed use.
Executive priority
Prioritize governance and monitoring of remote administration tooling because these tools can provide broad access while blending into normal IT operations. Executives should ask who is authorized to use ConnectWise, where it is installed, how access is approved, whether sessions are logged, and whether incident responders can quickly revoke or investigate remote access during a suspected compromise. This matters for resilience, ransomware readiness, audit evidence, and third-party or MSP access oversight.
Technical view
SOC and IR teams should validate visibility on Windows systems where ConnectWise or related remote administration components are present. ATT&CK provides no specific detection logic for this object, so coverage should be built around environment-approved baselines: expected hosts, users, service accounts, remote sessions, process activity, network destinations, and administrative actions. Relationship context links this tool to PowerShell execution, screen capture, and video capture techniques, so investigations should correlate remote administration sessions with PowerShell activity and collection-like behavior where telemetry exists.
Likely telemetry
- Windows endpoint process execution and service installation events
- Installed software and asset inventory showing approved remote administration tools
- Authentication, privileged access, and remote session logs
- Network connection metadata from endpoints to remote administration infrastructure
- PowerShell execution logs where enabled
Detection direction
- Establish an allowlist of approved ConnectWise deployments, administrators, service accounts, and expected management servers.
- Alert on ConnectWise presence or execution on systems where it is not approved, especially sensitive servers, executive endpoints, or systems outside IT support scope.
- Correlate remote administration sessions with unusual PowerShell activity, lateral movement indicators, or access outside normal support windows.
- Review false positives carefully because legitimate IT and MSP activity may look similar to attacker use without asset, identity, and change-management context.
- Validate whether logs capture enough detail to answer who connected, from where, to which host, for how long, and what actions followed.
Mitigation priorities
- Inventory and formally approve remote administration tooling before tuning detections.
- Restrict ConnectWise use to authorized administrators, managed devices, and documented support workflows.
- Use strong identity controls for remote administration access, including least privilege and rapid account/session revocation procedures.
- Segment access so remote administration tooling does not create unnecessary lateral movement paths.
- Retain session, authentication, endpoint, and PowerShell logs long enough to support incident response and compliance evidence.
Analyst notes and limits
ATT&CK identifies ConnectWise as legitimate software used by MuddyWater, GOLD SOUTHFIELD, and Scattered Spider, and links it to PowerShell, screen capture, and video capture techniques. The most useful defensive work is environment-specific: determine authorized business use, then monitor for use that violates that baseline.
The supplied ATT&CK object does not include official detection guidance, specific indicators, command lines, infrastructure, or detailed procedures. Local asset inventory, identity data, ConnectWise configuration, and endpoint telemetry are required to convert this into reliable detections.
ConnectWise
ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1125 | Video Capture | ConnectWise can record video on remote hosts.CitationAnomali Static Kitten February 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | ConnectWise can be used to execute PowerShell commands on target machines.CitationAnomali Static Kitten February 2021 |
| Enterprise | T1113 | Screen Capture | ConnectWise can take screenshots on remote hosts.CitationAnomali Static Kitten February 2021 |
Groups, software, and campaigns
G0115: GOLD SOUTHFIELD
GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.[1][2][3][4]
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 33d2be1296f7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Anomali Static Kitten February 2021
Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
Open source URL -
[2]
Trend Micro Muddy Water March 2021
Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
Open source URL -
[3]
ScreenConnect
(Citation: Anomali Static Kitten February 2021)
-
[4]
mitre-attack S0591Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.