Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Remote Services

An adversary may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

ID: T1021

Tactic: Lateral Movement

Platform:  Linux, macOS, Windows

Data Sources:  Authentication logs

CAPEC ID:  CAPEC-555

Version: 1.0

Examples

NameDescription
Cobalt Strike

Cobalt Strike can SSH to a remote service.[1]

GCMAN

GCMAN uses Putty and VNC for lateral movement.[2]

menuPass

menuPass has used Putty Secure Copy Client (PSCP) to transfer data.[3]

OilRig

OilRig has used Putty to access compromised systems.[4]

Proton

Proton uses VNC to connect into systems.[5]

Mitigation

Limit the number of accounts that may use remote services. Use multifactor authentication where possible. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs. Prevent Credential Access techniques that may allow an adversary to acquire Valid Accounts that can be used by existing services.

Detection

Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.

References