|Platform||Linux, macOS, Windows|
|System Requirements||Active remote service accepting connections and valid credentials|
|Data Sources||Authentication logs|
An adversary may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
- GCMAN uses Putty and VNC for lateral movement.1
- OilRig has used Putty to access compromised systems.2
- menuPass has used Putty Secure Copy Client (PSCP) to transfer data.3
- Cobalt Strike can SSH to a remote service.4
- RemoteCMD can execute commands remotely by creating a new service on the remote system 5.
Limit the number of accounts that may use remote services. Use multifactor authentication where possible. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs. Prevent Credential Access techniques that may allow an adversary to acquire Valid Accounts that can be used by existing services.
Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.
- Kaspersky Lab's Global Research & Analysis Team. (2016, February 8). APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks. Retrieved April 20, 2016.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer - Oil Rig. Retrieved December 20, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.