T1021 Remote Services Mappings

Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain.

Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-07 Least Functionality Protects T1021 Remote Services
CM-02 Baseline Configuration Protects T1021 Remote Services
AC-17 Remote Access Protects T1021 Remote Services
AC-02 Account Management Protects T1021 Remote Services
AC-20 Use of External Systems Protects T1021 Remote Services
AC-03 Access Enforcement Protects T1021 Remote Services
AC-05 Separation of Duties Protects T1021 Remote Services
AC-06 Least Privilege Protects T1021 Remote Services
AC-07 Unsuccessful Logon Attempts Protects T1021 Remote Services
CM-05 Access Restrictions for Change Protects T1021 Remote Services
CM-06 Configuration Settings Protects T1021 Remote Services
IA-02 Identification and Authentication (organizational Users) Protects T1021 Remote Services
IA-05 Authenticator Management Protects T1021 Remote Services
SI-04 System Monitoring Protects T1021 Remote Services
DEF-SecScore-E3 Secure Score Technique Scores T1021 Remote Services

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1021.005 VNC 23
T1021.004 SSH 15
T1021.008 Direct Cloud VM Connections 11
T1021.002 SMB/Windows Admin Shares 16
T1021.006 Windows Remote Management 16
T1021.003 Distributed Component Object Model 19
T1021.007 Cloud Services 9
T1021.001 Remote Desktop Protocol 24