CAPEC-555: Remote Services with Stolen Credentials
This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.
Last updated
Overview
CAPEC-555 (Remote Services with Stolen Credentials) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How to mitigate it
Defenses that reduce the risk of CAPEC-555.
- Disable RDP, telnet, SSH and enable firewall rules to block such traffic. Limit users and accounts that have remote interactive login access. Remove the Local Administrators group from the list of groups allowed to login through RDP. Limit remote user permissions. Use remote desktop gateways and multifactor authentication for remote logins.
Examples
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS. Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.
Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell.
Terminology & mappings
Mapped taxonomies
- ATTACK: Remote Services (1021)
- ATTACK: Email Collection:Remote Email Collection (1114.002)
- ATTACK: External Remote Services (1133)
Frequently asked questions
Common questions about CAPEC-555.
- What is CAPEC-555?
- This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.
- How do you prevent CAPEC-555?
- Disable RDP, telnet, SSH and enable firewall rules to block such traffic. Limit users and accounts that have remote interactive login access. Remove the Local Administrators group from the list of groups allowed to login through RDP. Limit remote user permissions. Use remote desktop gateways and multifactor authentication for remote logins.
- What weaknesses does CAPEC-555 target?
- CAPEC-555 exploits 7 CWE weaknesses, including CWE-262 (Not Using Password Aging), CWE-263 (Password Aging with Long Expiration), CWE-294 (Authentication Bypass by Capture-replay), CWE-308 (Use of Single-factor Authentication).
- How severe is CAPEC-555?
- MITRE rates CAPEC-555 as Very High severity.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-555
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.