Description
Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain, or management platforms for internal virtualization environments such as VMware vCenter.
Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)
Network Pentesting Methodology
Read our in-depth pentesting guide related to this technique
Platforms
Sub-Techniques (8)
Remote Desktop Protocol
T1021.002SMB/Windows Admin Shares
T1021.003Distributed Component Object Model
T1021.004SSH
T1021.005VNC
T1021.006Windows Remote Management
T1021.007Cloud Services
T1021.008Direct Cloud VM Connections
Mitigations (6)
Limit Access to Resource Over NetworkM1035
Prevent unnecessary remote access to file shares, hypervisors, sensitive systems, etc. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.(Citation: Sygnia ESXi Ransomware 2024)
AuditM1047
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
User Account ManagementM1018
Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.
Disable or Remove Feature or ProgramM1042
If remote services, such as the ability to make direct connections to cloud virtual machines, are not required, disable these connection types where feasible. On ESXi servers, consider enabling lockdown mode, which disables direct access to an ESXi host and requires that the host be managed remotely using vCenter.(Citation: Google Cloud Threat Intelligence ESXi Hardening 2023)(Citation: Broadcom E
Multi-factor AuthenticationM1032
Use multi-factor authentication on remote service logons where possible.
Password PoliciesM1027
Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used the WebDAV protocol to execute [Ryuk](https://attack.mitre.org/software/S0446) payload... |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) used remote scheduled tasks to install malicious software on victim systems during lateral move... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) uses valid network credentials gathered through credential harvesting to move laterally within vic... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S1016 | MacMa | Malware | [MacMa](https://attack.mitre.org/software/S1016) can manage remote screen sessions.(Citation: ESET DazzleSpy Jan 2022) |
| S1063 | Brute Ratel C4 | Tool | [Brute Ratel C4](https://attack.mitre.org/software/S1063) has the ability to use RPC for lateral movement.(Citation: Palo Alto Brute Ratel July 2022) |
| S0437 | Kivars | Malware | [Kivars](https://attack.mitre.org/software/S0437) has the ability to remotely trigger keyboard input and mouse clicks. (Citation: TrendMicro BlackTech... |
| S0603 | Stuxnet | Malware | [Stuxnet](https://attack.mitre.org/software/S0603) can propagate via peer-to-peer communication and updates using RPC.(Citation: Nicolas Falliere, Lia... |
References
- Apple. (n.d.). Apple Remote Desktop Administrator Guide Version 3.3. Retrieved October 5, 2021.
- Apple. (n.d.). Use MDM to enable Remote Management in macOS. Retrieved September 23, 2021.
- Apple. (n.d.). Use the kickstart command-line utility in Apple Remote Desktop. Retrieved September 23, 2021.
- Dan Borges. (2019, July 21). MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol). Retrieved September 10, 2021.
- Jake Nicastro, Willi Ballenthin. (2019, October 9). Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil. Retrieved August 16, 2021.
- Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.
- Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.
- SSH.COM. (n.d.). SSH (Secure Shell). Retrieved March 23, 2020.
Frequently Asked Questions
What is T1021 (Remote Services)?
T1021 is a MITRE ATT&CK technique named 'Remote Services'. It belongs to the Lateral Movement tactic(s). Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform acti...
How can T1021 be detected?
Detection of T1021 (Remote Services) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1021?
There are 6 documented mitigations for T1021. Key mitigations include: Limit Access to Resource Over Network, Audit, User Account Management, Disable or Remove Feature or Program, Multi-factor Authentication.
Which threat groups use T1021?
Known threat groups using T1021 include: Wizard Spider, Aquatic Panda, Ember Bear.