Skip to content

T1021 Remote Services

Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).86 They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain.

Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer.231 Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.543

Item Value
ID T1021
Sub-techniques T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006, T1021.007
Tactics TA0008
Platforms Linux, Windows, macOS
Version 1.3
Created 31 May 2017
Last Modified 30 March 2023

Procedure Examples

ID Name Description
S1063 Brute Ratel C4 Brute Ratel C4 has the ability to use RPC for lateral movement.9
S0437 Kivars Kivars has the ability to remotely trigger keyboard input and mouse clicks. 10
S1016 MacMa MacMa can manage remote screen sessions.11
S0603 Stuxnet Stuxnet can propagate via peer-to-peer communication and updates using RPC.12

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication Use multi-factor authentication on remote service logons where possible.
M1018 User Account Management Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0028 Logon Session Logon Session Creation
DS0011 Module Module Load
DS0033 Network Share Network Share Access
DS0029 Network Traffic Network Connection Creation
DS0009 Process Process Creation

References

  1. Apple. (n.d.). Apple Remote Desktop Administrator Guide Version 3.3. Retrieved October 5, 2021. 

  2. Apple. (n.d.). Use MDM to enable Remote Management in macOS. Retrieved September 23, 2021. 

  3. Apple. (n.d.). Use the kickstart command-line utility in Apple Remote Desktop. Retrieved September 23, 2021. 

  4. Dan Borges. (2019, July 21). MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol). Retrieved September 10, 2021. 

  5. Jake Nicastro, Willi Ballenthin. (2019, October 9). Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil. Retrieved August 16, 2021. 

  6. Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016. 

  7. Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021. 

  8. SSH.COM. (n.d.). SSH (Secure Shell). Retrieved March 23, 2020. 

  9. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  10. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. 

  11. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  12. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22