Keypoints
- Adversaries leverage valid credentials to access remote services like SSH, RDP, and VNC to perform lateral movement.
- Centralized domains enable single-credential access to many machines, increasing the impact of credential theft.
- Legitimate remote management tools (e.g., Apple Remote Desktop, deployment tools) can be abused for remote code execution.
- Detection relies on correlating remote-login events with unusual post-login behavior and rapid access to multiple systems.
- Monitor authentication logs, network connections on management ports, and process creation to identify suspicious remote-service usage.
Description:
- Like a stolen master key that opens many doors, Remote Services let an attacker with valid credentials walk across an organizationβs systems without breaking in anew.
- The technique uses remote-access protocols and management applications to log in as legitimate users, enabling attackers to run commands, transfer files, and move laterally across hosts; it matters because one compromised account can give broad, stealthy access to infrastructure and cloud resources.
Detection:
- Monitor authentication logs for SSH, RDP, VNC, ARD, and other remote-management services; alert on logins from unusual source IPs or geolocations using SIEM correlation rules.
- Correlate successful remote logins with subsequent suspicious activity: privilege escalations, new service installs, credential dumping, or unusual process creation; use EDR to link sessions to post-login behaviors.
- Track lateral patterns: multiple logins by the same account to many hosts in short time spans; build baseline access patterns and alert on deviations using UEBA.
- Inspect network telemetry for connections on management ports (tcp/22, tcp/3389, tcp/5900, tcp/3283) and for anomalous flows (unexpected peers, unusual volumes); use IDS/IPS and NetFlow or PCAP analysis to validate intent.
- Collect and analyze host logs: Windows Logon Session creation, Event IDs for remote logins, macOS screensharingd and Authentication events, and Linux auth logs; centralize logs for cross-host correlation to reduce blind spots.
- Watch for use of legitimate management tools in atypical ways: ARD, software deployment agents, or virtualization managers (vCenter) initiating odd commands; whitelist expected management workflows and alert on outliers.
- Be aware of false positives from scheduled admin tasks and automated management systems; reduce noise by maintaining allowlists of known management hosts, using context (time-of-day, source IP), and enriching alerts with asset owner and role information.
Tactics:
Lateral Movement
Platforms:
ESXi, IaaS, Linux, Windows, macOS
Data Sources:
Command: Command Execution, Logon Session: Logon Session Creation, Module: Module Load, Network Share: Network Share Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation, WMI: WMI Creation
Relationship Citations:
(Citation: TrendMicro BlackTech June 2017),(Citation: Crowdstrike HuntReport 2022),(Citation: ESET DazzleSpy Jan 2022),(Citation: Palo Alto Brute Ratel July 2022),(Citation: Cadet Blizzard emerges as novel threat actor),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Mandiant FIN12 Oct 2021),(Citation: Google Cloud Threat Intelligence ESXi Hardening 2023),(Citation: Sygnia ESXi Ransomware 2024),(Citation: Broadcom ESXi Lockdown Mode)
Read More: https://attack.mitre.org/techniques/T1021