Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain.
Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-07 | Least Functionality | Protects | T1021 | Remote Services | |
| CM-02 | Baseline Configuration | Protects | T1021 | Remote Services | |
| AC-17 | Remote Access | Protects | T1021 | Remote Services | |
| AC-02 | Account Management | Protects | T1021 | Remote Services | |
| AC-20 | Use of External Systems | Protects | T1021 | Remote Services | |
| AC-03 | Access Enforcement | Protects | T1021 | Remote Services | |
| AC-05 | Separation of Duties | Protects | T1021 | Remote Services | |
| AC-06 | Least Privilege | Protects | T1021 | Remote Services | |
| AC-07 | Unsuccessful Logon Attempts | Protects | T1021 | Remote Services | |
| CM-05 | Access Restrictions for Change | Protects | T1021 | Remote Services | |
| CM-06 | Configuration Settings | Protects | T1021 | Remote Services | |
| IA-02 | Identification and Authentication (organizational Users) | Protects | T1021 | Remote Services | |
| IA-05 | Authenticator Management | Protects | T1021 | Remote Services | |
| SI-04 | System Monitoring | Protects | T1021 | Remote Services | |
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1021 | Remote Services |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1021.005 | VNC | 23 |
| T1021.004 | SSH | 15 |
| T1021.008 | Direct Cloud VM Connections | 11 |
| T1021.002 | SMB/Windows Admin Shares | 16 |
| T1021.006 | Windows Remote Management | 16 |
| T1021.003 | Distributed Component Object Model | 19 |
| T1021.007 | Cloud Services | 9 |
| T1021.001 | Remote Desktop Protocol | 24 |