Remote Services

Adversaries may use Valid Accounts to log into a service designed to accept remote connections, such as SSH, telnet, and VNC and perform actions as the logged-on user and its permissions.

In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).[1]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.

References

Attachments

ID
VT0020
MITRE ID
Sub-techniques
Tactic
Lateral Movement
Platforms
Linux
Windows
macOS
System Requirements
Active remote service accepting connections and valid credentials
Data Sources
API monitoring
Authentication logs
DLL monitoring
File monitoring
Netflow/Enclave netflow
Network protocol analysis
Packet capture
PowerShell logs
Process command-line parameters
Process monitoring
Process use of network
Windows Registry
Windows event logs
CAPEC ID
Version
1.1

Created: 29 December 2020

Last Modified: 29 December 2020