Remote Terminal Sessions¶
An adversary may use Valid Accounts to log into a service specifically designed to accept remote connections.
| id: | 5c310aff-d4a8-43fb-beed-b17dab1f1df0 |
|---|---|
| categories: | enrich |
| confidence: | low |
| os: | windows, macos, linux |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Lateral Movement |
|---|---|
| techniques: | T1021 Remote Services |
Query¶
process where subtype.create and
process_name in ("telnet.exe", "putty.exe", "ssh")
| unique_count parent_process_name, command_line