An adversary may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
|APT39||APT39 used secure shell (SSH) to move laterally among their targets. |
|Cobalt Strike||Cobalt Strike can SSH to a remote service. |
|Empire||Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection. |
|GCMAN||GCMAN uses Putty and VNC for lateral movement. |
|Leviathan||Leviathan used ssh for internal reconnaissance. |
|menuPass||menuPass has used Putty Secure Copy Client (PSCP) to transfer data. |
|OilRig||OilRig has used Putty to access compromised systems. |
|Proton||Proton uses VNC to connect into systems. |
|TEMP.Veles||TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution. |
|Multi-factor Authentication||Use multi-factor authentication on remote service logons where possible.|
|User Account Management||Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.|
Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.
- Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2016, February 8). APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks. Retrieved April 20, 2016.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
- Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
- Plan, F., et all. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
- Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.