Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain.
Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.03 | Service accounts | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via remote services that use service accounts.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement protects against Remote Services through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement protects against Remote Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally.
References
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limiting access to file shares, remote access to systems, unnecessary services.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement provides protection from Remote Services through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1021 | Remote Services |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement protects against Remote Services through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes transmitted over networks, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to misuse remote services.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement protects against Remote Services through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement protects against Remote Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement protects against Remote Services through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1021 | Remote Services | |
| CM-05 | Access Restrictions for Change | mitigates | T1021 | Remote Services | |
| IA-05 | Authenticator Management | mitigates | T1021 | Remote Services | |
| AC-17 | Remote Access | mitigates | T1021 | Remote Services | |
| AC-20 | Use of External Systems | mitigates | T1021 | Remote Services | |
| CM-02 | Baseline Configuration | mitigates | T1021 | Remote Services | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1021 | Remote Services | |
| CM-07 | Least Functionality | mitigates | T1021 | Remote Services | |
| SI-04 | System Monitoring | mitigates | T1021 | Remote Services | |
| AC-02 | Account Management | mitigates | T1021 | Remote Services | |
| AC-03 | Access Enforcement | mitigates | T1021 | Remote Services | |
| AC-05 | Separation of Duties | mitigates | T1021 | Remote Services | |
| AC-06 | Least Privilege | mitigates | T1021 | Remote Services | |
| AC-07 | Unsuccessful Logon Attempts | mitigates | T1021 | Remote Services |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1021 | Remote Services | |
| action.malware.variety.C2 | Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. | related-to | T1021 | Remote Services | |
| action.malware.vector.Network propagation | Network propagation | related-to | T1021 | Remote Services |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | technique_scores | T1021 | Remote Services |
Comments
This control can protect against abuse of remote services.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1021 | Remote Services |
Comments
This control is only relevant for Linux environments. Among the sub-techinques that are relevant for Linux, this control may only alert on SSH.
References
|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1021 | Remote Services |
Comments
This control provides partial protection for all of its sub-techniques and procedure examples resulting in an overall score of Partial.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1021 | Remote Services |
Comments
This control can detect anomalous traffic or attempts related to network security group (NSG) for remote services.
References
|
| azure_policy | Azure Policy | technique_scores | T1021 | Remote Services |
Comments
This control can protect against abuse of remote services.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| mandiant_asm | Mandiant Attack Surface Management (ASM) | technique_scores | T1021 | Remote Services |
Comments
Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.
References
|
| advanced_protection_program | Advanced Protection Program | technique_scores | T1021 | Remote Services |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Implementing MFA on remote service logons prevents adversaries from using valid accounts to access those services.
References
|
| cloud_ngfw | Cloud Next-Generation Firewall (NGFW)_ | technique_scores | T1021 | Remote Services |
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts for most of the sub-techniques (5 of 6), it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.
References
|
| google_secops | Google Security Operations | technique_scores | T1021 | Remote Services |
Comments
Google Security Ops is able to detect an alert based on system events, such as remote service connections. This mapping was scored as minimal based on low or uncertain detection coverage factor of this technique.
https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_inspector | Amazon Inspector | technique_scores | T1021 | Remote Services |
Comments
The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, "Disable root login over SSH". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows), it only restricts access to remote services for one user account, and only supports one sub-technique, the coverage score is Minimal leading to an overall Minimal score.
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1021 | Remote Services |
Comments
VPC security groups and network access control lists (NACLs) can provide partial protection for all of its sub-techniques and procedure examples resulting in an overall score of Partial.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1021 | Remote Services |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts for most of the sub-techniques (5 of 6), it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1021.005 | VNC | 32 |
| T1021.004 | SSH | 31 |
| T1021.008 | Direct Cloud VM Connections | 23 |
| T1021.002 | SMB/Windows Admin Shares | 32 |
| T1021.006 | Windows Remote Management | 29 |
| T1021.003 | Distributed Component Object Model | 33 |
| T1021.007 | Cloud Services | 26 |
| T1021.001 | Remote Desktop Protocol | 45 |