Remote Services

An adversary may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

ID: T1021
Tactic: Lateral Movement
Platform: Linux, macOS, Windows
System Requirements: Active remote service accepting connections and valid credentials
Data Sources: Authentication logs
CAPEC ID: CAPEC-555
Version: 1.0

Procedure Examples

Name Description
APT39

APT39 used secure shell (SSH) to move laterally among their targets.[8]

Cobalt Strike

Cobalt Strike can SSH to a remote service.[1]

Empire

Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.[2]

GCMAN

GCMAN uses Putty and VNC for lateral movement.[5]

Leviathan

Leviathan used ssh for internal reconnaissance.[9]

menuPass

menuPass has used Putty Secure Copy Client (PSCP) to transfer data.[7]

OilRig

OilRig has used Putty to access compromised systems.[6]

Proton

Proton uses VNC to connect into systems.[3]

TEMP.Veles

TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.[10]

ZxShell

ZxShell supports functionality for VNC sessions. [4]

Mitigations

Mitigation Description
Multi-factor Authentication

Use multi-factor authentication on remote service logons where possible.

User Account Management

Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.

Detection

Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.

References