Register to stream ATT&CKcon 2.0 October 29-30

Remote Services

An adversary may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

ID: T1021
Tactic: Lateral Movement
Platform: Linux, macOS, Windows
System Requirements: Active remote service accepting connections and valid credentials
Data Sources: Authentication logs
CAPEC ID: CAPEC-555
Version: 1.0

Procedure Examples

Name Description
APT39 APT39 used secure shell (SSH) to move laterally among their targets. [7]
Cobalt Strike Cobalt Strike can SSH to a remote service. [1]
Empire Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection. [2]
GCMAN GCMAN uses Putty and VNC for lateral movement. [4]
Leviathan Leviathan used ssh for internal reconnaissance. [8]
menuPass menuPass has used Putty Secure Copy Client (PSCP) to transfer data. [6]
OilRig OilRig has used Putty to access compromised systems. [5]
Proton Proton uses VNC to connect into systems. [3]
TEMP.Veles TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution. [9]

Mitigations

Mitigation Description
Multi-factor Authentication Use multi-factor authentication on remote service logons where possible.
User Account Management Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.

Detection

Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.

References