Adversaries may use Valid Accounts to log into a service designed to accept remote connections, such as SSH, telnet, and VNC and perform actions as the logged-on user and its permissions.
In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.
Created: 29 December 2020
Last Modified: 29 December 2020