Remote Services are legitimate protocols attackers frequently abuse for initial access, lateral movement, persistence, and command execution. Common techniques include RDP, SSH, WinRM, SMB, VNC, and VPN abuse, often using stolen or weak credentials to blend in as normal users. Attackers leverage these services for stealthy movement, fileless execution, and ransomware deployment. Key IOCs include abnormal login patterns, failed authentication spikes, unexpected service creation, and unusual east-west traffic.
1. What Are Remote Services?
Remote Services are legitimate protocols and services designed to allow users or systems to access machines remotely.
Attackers abuse these services because:
- They are built-in
- Often allowed through firewalls
- Can be abused using valid credentials (hard to detect)
Common attacker goals:
- Initial Access
- Lateral Movement
- Persistence
- Command & Control (C2)
2. Remote Services Techniques & Sub-Techniques
2.1 Remote Desktop Protocol (RDP)
Protocol: TCP/3389
OS: Windows
How Attackers Use It
- Brute force or password spray RDP credentials
- Use stolen credentials from phishing or infostealers
- Pivot internally once on a network
Common Abuse Patterns
- Enable RDP on systems where it was disabled
- Disable Network Level Authentication (NLA)
- Add attacker user to Remote Desktop Users group
IOCs
- Event ID 4624 (Logon Type 10)
- Event ID 4625 (failed logons)
- Sudden RDP logins at odd hours
- RDP sessions from unusual internal hosts
Real-World Scenario
Ransomware operators (e.g., Conti, Ryuk):
- Initial phishing → credential theft
- RDP into file servers
- Manual ransomware deployment
- Disable backups and shadow copies
2.2 Secure Shell (SSH)
Protocol: TCP/22
OS: Linux, Unix, Network Devices
How Attackers Use It
- Brute force weak credentials
- Abuse exposed SSH keys
- Lateral movement using reused credentials
Common Abuse Patterns
- Upload attacker SSH public keys into
~/.ssh/authorized_keys - Tunneling traffic via SSH port forwarding
IOCs
- Repeated failed SSH logins
- Logins from new IPs or geolocations
- Changes to
authorized_keys - Unusual SSH port forwarding activity
Real-World Scenario
Cloud breaches:
- Exposed Git repo leaks SSH private key
- Attacker accesses production servers
- Cryptominer deployed via SSH
2.3 Windows Remote Management (WinRM)
Protocol: TCP/5985 (HTTP), 5986 (HTTPS)
How Attackers Use It
- Execute commands remotely using valid credentials
- Fileless lateral movement
- Commonly used with PowerShell
Common Abuse Patterns
Invoke-CommandEnter-PSSession- Living-off-the-Land (LOLBins)
IOCs
- PowerShell Event ID 4104
- WinRM service logs
- Remote PowerShell sessions between endpoints
Real-World Scenario
APT lateral movement:
- Credentials stolen via LSASS dumping
- WinRM used to execute payloads silently
- No malware dropped to disk
2.4 Server Message Block (SMB)
Protocol: TCP/445
How Attackers Use It
- Lateral movement using stolen NTLM hashes
- Remote execution via PsExec-like behavior
- Accessing administrative shares (
C$,ADMIN$)
Common Abuse Patterns
- Pass-the-Hash
- Copy payloads via SMB shares
- Execute services remotely
IOCs
- Event ID 5140 (share access)
- Unexpected access to
ADMIN$ - Service creation events (7045)
Real-World Scenario
WannaCry ransomware:
- Exploited SMB vulnerability
- Self-propagated laterally
- Rapid network-wide infection
2.5 Virtual Network Computing (VNC)
Protocol: TCP/5900+
How Attackers Use It
- Weak or no authentication
- Observe user activity (credential harvesting)
- Remote control for persistence
IOCs
- VNC services running unexpectedly
- Connections from unknown IPs
- Screen capture artifacts
Real-World Scenario
POS malware attacks:
- VNC installed on POS terminals
- Attackers monitor transactions in real time
2.6 VPN Abuse
Protocol: Varies (IPsec, SSL, OpenVPN)
How Attackers Use It
- Use stolen credentials to access internal network
- Blend in with legitimate users
- Bypass perimeter defenses
IOCs
- VPN logins from abnormal locations
- Impossible travel alerts
- VPN sessions without MFA
Real-World Scenario
Enterprise ransomware:
- VPN credentials sold on dark web
- Attacker logs in legitimately
- Lateral movement begins immediately
3. Indicators of Compromise (IOCs)
Network IOCs
- Unusual east-west traffic
- Excessive authentication attempts
- SMB/RDP connections outside normal patterns
Host IOCs
- New local admin accounts
- Services created unexpectedly
- Modified registry keys enabling remote access
Identity IOCs
- Password spray patterns
- MFA bypass attempts
- Reused credentials across systems
4. Incident Response (IR) – Remote Services Abuse
Phase 1: Identification
- Correlate authentication logs
- Detect abnormal remote sessions
- Identify compromised accounts
Phase 2: Containment
- Disable compromised accounts
- Block attacker IPs
- Isolate affected hosts
Phase 3: Eradication
- Reset credentials enterprise-wide
- Remove persistence mechanisms
- Patch exposed services
Phase 4: Recovery
- Restore clean backups
- Re-enable services securely
- Monitor for reinfection
Phase 5: Lessons Learned
- Enforce MFA
- Harden remote services
- Improve logging & alerting
5. MITRE-Aligned Summary Table
| Technique | Protocol | Attacker Use | Key IOCs | Real-World Example |
|---|---|---|---|---|
| RDP | TCP/3389 | Credential abuse, lateral movement | Event 4624/4625, odd logon times | Ransomware operators |
| SSH | TCP/22 | Brute force, key abuse | Failed logins, authorized_keys changes | Cloud cryptomining |
| WinRM | TCP/5985/5986 | Fileless execution | PowerShell 4104 logs | APT lateral movement |
| SMB | TCP/445 | Pass-the-Hash, PsExec | ADMIN$ access, service creation | WannaCry |
| VNC | TCP/5900 | Remote control, spying | Unexpected VNC services | POS malware |
| VPN | Various | Legitimate-looking access | Impossible travel, MFA bypass | Enterprise ransomware |
6. Key Defensive Takeaways
- MFA everywhere (VPN, RDP, admin accounts)
- Disable unused remote services
- Restrict lateral movement (network segmentation)
- Monitor identity, not just malware
- Assume valid credentials will be abused
