Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1021 | Remote Services | |
| AC-2 | Account Management | Protects | T1021 | Remote Services | |
| AC-20 | Use of External Systems | Protects | T1021 | Remote Services | |
| AC-3 | Access Enforcement | Protects | T1021 | Remote Services | |
| AC-5 | Separation of Duties | Protects | T1021 | Remote Services | |
| AC-6 | Least Privilege | Protects | T1021 | Remote Services | |
| AC-7 | Unsuccessful Logon Attempts | Protects | T1021 | Remote Services | |
| CM-5 | Access Restrictions for Change | Protects | T1021 | Remote Services | |
| CM-6 | Configuration Settings | Protects | T1021 | Remote Services | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1021 | Remote Services | |
| IA-5 | Authenticator Management | Protects | T1021 | Remote Services | |
| SI-4 | System Monitoring | Protects | T1021 | Remote Services | |
| linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | technique_scores | T1021 | Remote Services |
Comments
This control is only relevant for Linux environments. Among the sub-techinques that are relevant for Linux, this control may only alert on SSH.
References
|
| network_security_groups | Network Security Groups | technique_scores | T1021 | Remote Services |
Comments
This control provides partial protection for all of its sub-techniques and procedure examples resulting in an overall score of Partial.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1021 | Remote Services |
Comments
This control provides minimal to partial coverage for some of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
| microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1021 | Remote Services |
Comments
This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.
References
|
| azure_policy | Azure Policy | technique_scores | T1021 | Remote Services | |
| azure_network_traffic_analytics | Azure Network Traffic Analytics | technique_scores | T1021 | Remote Services |
Comments
This control can detect anomalous traffic or attempts related to network security group (NSG) for remote services.
References
|
| docker_host_hardening | Docker Host Hardening | technique_scores | T1021 | Remote Services |
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1021.003 | Distributed Component Object Model | 22 |
| T1021.001 | Remote Desktop Protocol | 28 |
| T1021.002 | SMB/Windows Admin Shares | 20 |
| T1021.004 | SSH | 21 |
| T1021.005 | VNC | 25 |
| T1021.006 | Windows Remote Management | 18 |