Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1021 | Remote Services | |
| AC-2 | Account Management | Protects | T1021 | Remote Services | |
| AC-20 | Use of External Systems | Protects | T1021 | Remote Services | |
| AC-3 | Access Enforcement | Protects | T1021 | Remote Services | |
| AC-5 | Separation of Duties | Protects | T1021 | Remote Services | |
| AC-6 | Least Privilege | Protects | T1021 | Remote Services | |
| AC-7 | Unsuccessful Logon Attempts | Protects | T1021 | Remote Services | |
| CM-5 | Access Restrictions for Change | Protects | T1021 | Remote Services | |
| CM-6 | Configuration Settings | Protects | T1021 | Remote Services | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1021 | Remote Services | |
| IA-5 | Authenticator Management | Protects | T1021 | Remote Services | |
| SI-4 | System Monitoring | Protects | T1021 | Remote Services | |
| action.hacking.variety.Use of stolen creds | Use of stolen authentication credentials (including credential stuffing) | related-to | T1021 | Remote Services | |
| action.malware.vector.Network propagation | Network propagation | related-to | T1021 | Remote Services | |
| amazon_inspector | Amazon Inspector | technique_scores | T1021 | Remote Services |
Comments
The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, "Disable root login over SSH". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows), it only restricts access to remote services for one user account, and only supports one sub-technique, the coverage score is Minimal leading to an overall Minimal score.
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1021 | Remote Services |
Comments
VPC security groups and network access control lists (NACLs) can provide partial protection for all of its sub-techniques and procedure examples resulting in an overall score of Partial.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1021 | Remote Services |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts for most of the sub-techniques (5 of 6), it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1021.003 | Distributed Component Object Model | 22 |
| T1021.001 | Remote Desktop Protocol | 28 |
| T1021.002 | SMB/Windows Admin Shares | 20 |
| T1021.004 | SSH | 20 |
| T1021.005 | VNC | 27 |
| T1021.006 | Windows Remote Management | 20 |