Dark Mode

Settings

Capec-555 Detail

Remote Services with Stolen Credentials

Standard Software Typical Severity: Very High

Parents: 560

Threats: T71 T75 T263 T271 T279 T283 T292 T307 T385 T388 T398 T402

Description

This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.

Not present

Not present

Not present

Not present

Not present

Not present

  1. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS. Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.
  2. Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell.

We use cookies to ensure you get the best experience on our website.