Remote Services

An adversary may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

ID: T1021

Tactic: Lateral Movement

Platform:  Linux, macOS, Windows

System Requirements:  Active remote service accepting connections and valid credentials

Data Sources:  Authentication logs

CAPEC ID:  CAPEC-555

Version: 1.0

Examples

NameDescription
APT39

APT39 used secure shell (SSH) to move laterally among their targets.[1]

Cobalt Strike

Cobalt Strike can SSH to a remote service.[2]

Empire

Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.[3]

GCMAN

GCMAN uses Putty and VNC for lateral movement.[4]

Leviathan

Leviathan used ssh for internal reconnaissance.[5]

Linux Rabbit

Linux Rabbit attempts to gain access to the server via SSH.[6]

menuPass

menuPass has used Putty Secure Copy Client (PSCP) to transfer data.[7]

OilRig

OilRig has used Putty to access compromised systems.[8]

Proton

Proton uses VNC to connect into systems.[9]

TEMP.Veles

TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.[10]

Mitigation

Limit the number of accounts that may use remote services. Use multifactor authentication where possible. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs. Prevent Credential Access techniques that may allow an adversary to acquire Valid Accounts that can be used by existing services.

Detection

Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.

References