Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain.
Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1021 | Remote Services |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon AcceleratedMemory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Exploits from Remote Services. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
Exploits from Remote Services involve adversaries targeting vulnerabilities in network-facing services such as RDP, SMB, or SSH, to execute malicious code remotely. These attacks can allow attackers to gain unauthorized access to systems, elevate privileges, or move laterally within a network, often bypassing perimeter defenses. Remote service exploits are frequently used in ransomware, espionage, and other forms of cyberattacks that target high-value systems or data.
Intel TDT plays a critical role in identifying these threats by providing deep, real-time telemetry on program execution, memory access, and control flow. This data allows security teams to quickly detect abnormal behaviors that indicate potential exploitation of remote services, such as suspicious command execution or unauthorized access to remote systems. By continuously monitoring these low-level activities, Intel TDT helps identify attempts to exploit remote services, preventing malicious actions before they can cause significant damage.
References
|
| intel-ptt | Intel Platform Trust Technology | Win 11, ESS/Hello | T1021 | Remote Services |
Comments
Windows Hello ESS authentication leverages virtual sandbox(Intel VT-X) to protect authentication data to significantly reduce the risk of brute force attacks on passwords, as biometrics typically require physical presence or biometric data that cannot be easily guessed or replicated. It uses the TPM (Intel PTT) to store authentication data including public/private key pairs. Windows Hello also includes Passkeys, a passwordless authentication option that generates public/private key pair with the public key shared with the service requiring authentication and the private key stored in the TPM, which is only released after authentication locally on the device using a biometric factor such as fingerprint, facial recognition, or a PIN. Windows Hello helps protect against the risk of credentials being stored in files by eliminating the need for passwords in many authentication scenarios.
Microsoft Windows emulates a smart card and uses the Windows Hello keys that are tied to user certificates that used for authentication for remote services such as Remote Desktop Protocol making difficult for an attacker to use those credentials.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1021.002 | SMB/Windows Admin Shares | 1 |
| T1021.006 | Windows Remote Management | 1 |
| T1021.001 | Remote Desktop Protocol | 1 |