{ "id": "bundle--6efd529a-51c8-4c55-9e27-ced12da4ce37", "objects": [ { "created": "2015-11-09T00:00:00.000Z", "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", "description": "This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.", "external_references": [ { "external_id": "CAPEC-555", "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/555.html" }, { "external_id": "CWE-522", "source_name": "cwe", "url": "http://cwe.mitre.org/data/definitions/522.html" }, { "external_id": "CWE-308", "source_name": "cwe", "url": "http://cwe.mitre.org/data/definitions/308.html" }, { "external_id": "CWE-309", "source_name": "cwe", "url": "http://cwe.mitre.org/data/definitions/309.html" }, { "external_id": "CWE-294", "source_name": "cwe", "url": "http://cwe.mitre.org/data/definitions/294.html" }, { "external_id": "CWE-263", "source_name": "cwe", "url": "http://cwe.mitre.org/data/definitions/263.html" }, { "external_id": "CWE-262", "source_name": "cwe", "url": "http://cwe.mitre.org/data/definitions/262.html" }, { "external_id": "CWE-521", "source_name": "cwe", "url": "http://cwe.mitre.org/data/definitions/521.html" }, { "description": "Remote Services", "external_id": "T1021", "source_name": "ATTACK", "url": "https://attack.mitre.org/wiki/Technique/T1021" }, { "description": "Email Collection:Remote Email Collection", "external_id": "T1114.002", "source_name": "ATTACK", "url": "https://attack.mitre.org/wiki/Technique/T1114/002" }, { "description": "External Remote Services", "external_id": "T1133", "source_name": "ATTACK", "url": "https://attack.mitre.org/wiki/Technique/T1133" } ], "id": "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be", "modified": "2022-09-29T00:00:00.000Z", "name": "Remote Services with Stolen Credentials", "object_marking_refs": [ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" ], "spec_version": "2.1", "type": "attack-pattern", "x_capec_abstraction": "Standard", "x_capec_can_precede_refs": [ "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" ], "x_capec_child_of_refs": [ "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" ], "x_capec_domains": [ "Software" ], "x_capec_example_instances": [ "Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS. Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.", "Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell." ], "x_capec_status": "Stable", "x_capec_typical_severity": "Very High", "x_capec_version": "3.9" } ], "type": "bundle" }