MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1021: Remote Services

Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP). They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain.

Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer. Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

it_bastion: PT-CR-2179: SKDPUNT_Multiple_Access_Attempts: Multiple attempts to access the system
sap_suspicious_user_activity: PT-CR-241: SAPASABAP_GW_Call_not_allowed_monitor_command: SAP Gateway monitor command is not allowed
it_bastion: PT-CR-2176: SKDPUNT_Session_From_Different_Subnet: Session of a user from another subnet
mongo_database: PT-CR-524: MongoDB_connect_through_Pentest_OS: A connection to a database from an operating system designed for penetration testing
profiling: PT-CR-1034: App_1C_Enterprise_Abnormal_Access: Suspicious logon to 1C:Enterprise. Authentication data differ from the collected profile.
profiling: PT-CR-1035: App_1C_User_PC_Abnormal_Access: A suspicious logon to a host with access to the 1C application. Authentication data differ from the collected profile.
profiling: PT-CR-1040: Release_Build_Agent_Abnormal_Access: Suspicious logon to a build agent server. Authentication data differ from the collected profile.
profiling: PT-CR-1041: Teamcity_Abnormal_Access: Suspicious logon to TeamCity. Authentication data differ from the collected profile.
profiling: PT-CR-1044: Developer_PC_Abnormal_Access: Suspicious logon to a developer's computer. Authentication data differ from the collected profile.
profiling: PT-CR-1045: VCS_Server_Abnormal_Access: Suspicious logon to a version control system. Authentication data differ from the collected profile.
profiling: PT-CR-1050: Subrule_Windows_Host_Abnormal_Access: Suspicious logon to a critical host. Authentication data differ from the collected profile.
profiling: PT-CR-1051: KSC_Console_Abnormal_Access: Suspicious logon to the Kaspersky Security Center console. Authentication data differ from the collected profile.
profiling: PT-CR-1052: Antivirus_Server_Abnormal_Access: Suspicious logon to an antivirus server. Authentication data differ from the collected profile.
profiling: PT-CR-1054: Subrule_Teampass_Login_Successful: Logon to TeamPass
profiling: PT-CR-1057: VPN_User_Abnormal_Access: Logon to internal resources under another users account. Authentication data differ from the collected profile.
profiling: PT-CR-1059: vCenter_Abnormal_Access: Suspicious logon to vCenter. Authentication data differ from the collected profile.
profiling: PT-CR-1061: Cisco_Abnormal_Access: Suspicious connection to Cisco hardware. Authentication data differ from the collected profile.
profiling: PT-CR-1062: Fortigate_Abnormal_Access: Suspicious connection to FortiGate hardware. Authentication data differ from the collected profile.
profiling: PT-CR-1063: Wifi_Abnormal_Access: Suspicious connection to Wi-Fi equipment. Authentication data differ from the collected profile.
profiling: PT-CR-1070: Top_Managers_Abnormal_Access: Suspicious logon to a top manager workstation. Authentication data differ from the collected profile.
profiling: PT-CR-1382: Checkpoint_Abnormal_Access: Suspicious connection to Check Point hardware. Authentication data differ from the collected profile.
profiling: PT-CR-1782: PT_IAM_Abnormal_Access: Suspicious logon to a Positive Technologies application using IAM. Authentication data differ from the collected profile.
profiling: PT-CR-1784: MSSQL_Abnormal_Access: Suspicious logon to Microsoft SQL Server. Authentication data differ from the collected profile.
profiling: PT-CR-1785: Teampass_Abnormal_Access: Suspicious logon to TeamPass. Authentication data differ from the collected profile.
profiling: PT-CR-1788: Keycloak_Abnormal_Access: Suspicious logon via Keycloak. Authentication data differ from the collected profile.
profiling: PT-CR-1791: Application_Abnormal_Access: Suspicious logon to an application with no specific profiling rules. Authentication data differ from the collected profile.
profiling: PT-CR-1792: ADFS_Abnormal_Access: Suspicious logon via Active Directory Federation Services (AD FS). Authentication data differ from the collected profile.
profiling: PT-CR-1793: Confluence_Abnormal_Access: Suspicious logon to Confluence. Authentication data differ from the collected profile.
profiling: PT-CR-1808: Passwork_Abnormal_Access: Suspicious logon to Passwork. Authentication data differ from the collected profile.
profiling: PT-CR-1809: Gitlab_Abnormal_Access: Suspicious logon to GitLab. Authentication data differ from the collected profile.
profiling: PT-CR-1810: Critical_Server_Abnormal_Access: Suspicious logon to a critical server. Authentication data differ from the collected profile.
profiling: PT-CR-1811: Teamcity_Abnormal_BuildConfig_Modify: Suspicious logon and build configuration changes in TeamCity. Authentication data differ from the collected profile.
profiling: PT-CR-1812: App_1C_Server_Abnormal_Access: Suspicious logon to the 1C application server. Authentication data differ from the collected profile.
profiling: PT-CR-1871: MECM_Abnormal_Access: Suspicious logon via Microsoft Endpoint Configuration Manager. Authentication data differ from the collected profile.
profiling: PT-CR-2456: FreeIPA_Abnormal_Access: Suspicious authentication in the FreeIPA domain. Authentication data differ from the previously collected profile.
profiling: PT-CR-1920: PTAF_Abnormal_Access: Suspicious logon to PT AF. Authentication data differ from the collected profile.
profiling: PT-CR-2059: Zabbix_Abnormal_Access: Suspicious logon to Zabbix. Authentication data differs from the previously collected profile.
profiling: PT-CR-2388: Arista_EOS_Abnormal_Access: Suspicious connection to Arista hardware. Authentication data differ from the collected profile.
profiling: PT-CR-2137: Hashicorp_Vault_Abnormal_Access: Suspicious logon to Vault. Authentication data differ from the collected profile.
profiling: PT-CR-218: SecurityAdmin_Abnormal_Access: Suspicious logon by a security administrator. Authentication data differ from the collected profile.
profiling: PT-CR-228: Domain_Controller_Abnormal_Access: Suspicious logon to a domain controller. Authentication data differ from the collected profile.
profiling: PT-CR-2325: Grafana_Abnormal_Access: Suspicious logon to Grafana. Authentication data differ from the collected profile.
profiling: PT-CR-2337: PostgreSQL_Abnormal_Access: Suspicious logon to DBMS PostgreSQL. Authentication data differ from the collected profile.

Detection

IDDS0033Data source and componentNetwork Share: Network Share AccessDescription

Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB).

IDDS0011Data source and componentModule: Module LoadDescription

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes, that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

Note: On Windows, Sysmon Event ID 7 (Image loaded) can be used to monitor the loading of DLLs into processes, including those designed to accept remote connections. This is a particularly noisy event and can generate a large volume of data, so we recommend baselining and filtering out any known benign processes and module to help reduce the number of events that are produced.

IDDS0029Data source and componentNetwork Traffic: Network Connection CreationDescription

Monitor for newly constructed network connections that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp: 3389 and tcp:22 for remote login.

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor network data for uncommon data flows that may be related to abuse of Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC.

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network service protocols such as SSH and RDP. #Protocol 6 = TCP #Protocol 17 = UDP

Analytic 1 - Suspicious Protocols source="Zeek:" AND (port="636" AND protocol="6") OR (port="389" AND protocol="17")

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. The adversary may then perform actions that spawn additional processes as the logged-on user.

Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters.

Any tool of interest with commonly known command line usage can be detecting by command line analysis. Known substrings of command lines include

  • PuTTY
  • port forwarding -R * -pw
  • secure copy (scp) -pw * * @
  • mimikatz sekurlsa::
  • RAR * -hp *
  • Archive* a * Additionally, it may be useful to find IP addresses in the command line
  • \d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}

Analytic 1 - Suspicious Arguments

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="-R .* -pw" OR CommandLine="-pw .* .* .@." OR CommandLine="sekurlsa" OR CommandLine=" -hp " OR CommandLine=".* a .*"

IDDS0028Data source and componentLogon Session: Logon Session CreationDescription

Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For example, in macOS you can review logs for "screensharingd" and "Authentication" event messages.

Note: When using Security event id 4624, %$ means user names that do not end with $ character. Usually, computer accounts or local system accounts names end with the $ character. When using Security event 4624, UserName and UserLogonId correspond to TargetUserName and TargetLogonId respectively. When using Security event 4624, LogonType 3 corresponds to a Network Logon

Analytic 1 - New services being created under network logon sessions by non-system users (source="WinEventLog:Security" EventCode="4624") AND LogonType="3" AND UserName NOT '$' | rename UserLogonId AS LogonID | join type=inner LogonID [| search (source="*WinEventLog:Security" EventCode="4697") | rename UserLogonId as LogonID]

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

IDDS0005Data source and componentWMI: WMI CreationDescription

Monitor for newly constructed WMI objects that is often used to log into a service that accepts remote connects.

Mitigation

IDM1035NameLimit Access to Resource Over NetworkDescription

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

IDM1047NameAuditDescription

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

IDM1018NameUser Account ManagementDescription

Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.

IDM1042NameDisable or Remove Feature or ProgramDescription

If remote services, such as the ability to make direct connections to cloud virtual machines, are not required, disable these connection types where feasible.

IDM1032NameMulti-factor AuthenticationDescription

Use multi-factor authentication on remote service logons where possible.

IDM1027NamePassword PoliciesDescription

Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed.