Remote Services

Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).[1][2]

Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer.[3][4][5] Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.[6][7][4]

ID: T1021
Platforms: Linux, Windows, macOS
System Requirements: Active remote service accepting connections and valid credentials
CAPEC ID: CAPEC-555
Contributors: Dan Borges, @1njection
Version: 1.2
Created: 31 May 2017
Last Modified: 15 October 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
S0437 Kivars

Kivars has the ability to remotely trigger keyboard input and mouse clicks. [8]

S0603 Stuxnet

Stuxnet can propagate via peer-to-peer communication and updates using RPC.[9]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication on remote service logons where possible.

M1018 User Account Management

Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0028 Logon Session Logon Session Creation
DS0011 Module Module Load
DS0033 Network Share Network Share Access
DS0029 Network Traffic Network Connection Creation
Network Traffic Flow
DS0009 Process Process Creation

Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.

Use of applications such as ARD may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using these applications. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.

In macOS, you can review logs for "screensharingd" and "Authentication" event messages. Monitor network connections regarding remote management (ports tcp:3283 and tcp:5900) and for remote login (port tcp:22).[7][10]

References