T1021 Remote Services
Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).12
Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer.345 Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.674
| Item | Value |
|---|---|
| ID | T1021 |
| Sub-techniques | T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006 |
| Tactics | TA0008 |
| CAPEC ID | CAPEC-555 |
| Platforms | Linux, Windows, macOS |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 28 March 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0437 | Kivars | Kivars has the ability to remotely trigger keyboard input and mouse clicks. 9 |
| S0603 | Stuxnet | Stuxnet can propagate via peer-to-peer communication and updates using RPC.10 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-factor Authentication | Use multi-factor authentication on remote service logons where possible. |
| M1018 | User Account Management | Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0028 | Logon Session | Logon Session Creation |
| DS0011 | Module | Module Load |
| DS0033 | Network Share | Network Share Access |
| DS0029 | Network Traffic | Network Connection Creation |
| DS0009 | Process | Process Creation |
References
-
SSH.COM. (n.d.). SSH (Secure Shell). Retrieved March 23, 2020. ↩
-
Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016. ↩
-
Apple. (n.d.). Use MDM to enable Remote Management in macOS. Retrieved September 23, 2021. ↩
-
Apple. (n.d.). Use the kickstart command-line utility in Apple Remote Desktop. Retrieved September 23, 2021. ↩↩
-
Apple. (n.d.). Apple Remote Desktop Administrator Guide Version 3.3. Retrieved October 5, 2021. ↩
-
Jake Nicastro, Willi Ballenthin. (2019, October 9). Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil. Retrieved August 16, 2021. ↩
-
Dan Borges. (2019, July 21). MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol). Retrieved September 10, 2021. ↩
-
Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021. ↩
-
Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. ↩
-
Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. ↩