远程服务指攻击者利用合法凭证通过SSH、RDP等协议建立远程连接,实施横向移动或持久化控制的技术。传统检测手段通过分析异常登录时间、高频跨系统访问、非常用端口连接等特征进行识别,防御措施包括多因素认证强化、网络分段隔离、会话行为审计等。然而随着攻击者匿迹技术的演进,基于单一维度特征分析的防护体系面临严峻挑战。
为规避传统检测机制,攻击者发展出多维度融合的远程服务匿迹技术,通过协议特征混淆、身份实体动态化、信任链寄生等策略重构攻击行为模式,使远程连接行为在协议合规性、身份合法性和工具可信性层面均符合正常业务特征,形成"形神兼备"的隐蔽通道。
现有远程服务匿迹技术的实现范式呈现三大共性特征:首先在协议层实施深度伪装,通过协议嵌套、流量整形等技术消除远程服务的网络层指纹;其次在身份层构建动态化体系,利用凭证池轮换、权限映射转换等手法破坏行为链关联性;最后在应用层寄生可信生态,通过白名单工具滥用、云服务API劫持等方式实现攻击流量与企业正常业务的深度交融。协议隧道嵌套通信技术通过重构协议栈层次突破网络层检测,使恶意会话隐藏在合法应用流量中;凭证动态轮换会话技术利用身份实体快速切换制造行为分析噪声,规避用户实体行为分析;合法工具链隐蔽连接技术则直接寄生在企业管理体系内部,实现"检测豁免"级隐匿效果。三类技术共同构建了"协议不可见、身份不可溯、工具不可疑"的立体化匿迹体系。
匿迹技术的应用导致传统基于特征匹配的远程服务检测方法大量失效,防御方需构建协议语义深度解析、身份行为图谱分析、工具链完整性校验等新型能力,结合跨层威胁狩猎和动态信任评估模型,实现对隐蔽远程连接的全生命周期感知与阻断。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ✅ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
通过协议隧道嵌套和合法工具滥用,将远程服务流量特征伪装成正常业务交互。例如将RDP会话封装在HTTPS流中,使流量表现为标准Web通信;或利用企业授权管理工具建立连接,使会话进程、端口等特征完全符合运维白名单策略。这种深度伪装使防御方难以从网络流量或进程行为中识别异常。
借助零日漏洞或管理策略缺陷,攻击者可直接滥用系统原生远程服务组件(如Windows远程协助、macOS屏幕共享),利用这些服务的合法交互特性实施隐蔽控制。由于相关操作未触发非授权访问告警,防御方难以察觉异常远程连接行为。
采用TLS 1.3、QUIC等新型加密协议传输远程会话数据,结合前向保密机制防止流量解密回溯。在协议嵌套场景中,外层协议加密有效遮蔽内层远程协议特征,使深度包检测技术难以提取有效攻击指纹。
凭证动态轮换技术将单次攻击链拆解为多账户、多节点的离散访问事件,低频次、长间隔的远程连接使行为特征稀释在正常运维流量中。结合全球代理节点池的动态调度,破坏攻击行为的时间连续性与空间关联性,导致传统基于时序分析的检测模型失效。
| ID | Name | Description |
|---|---|---|
| G0143 | Aquatic Panda |
Aquatic Panda used remote scheduled tasks to install malicious software on victim systems during lateral movement actions.[1] |
| S1063 | Brute Ratel C4 |
Brute Ratel C4 has the ability to use RPC for lateral movement.[2] |
| G1003 | Ember Bear |
Ember Bear uses valid network credentials gathered through credential harvesting to move laterally within victim networks, often employing the Impacket framework to do so.[3] |
| S0437 | Kivars |
Kivars has the ability to remotely trigger keyboard input and mouse clicks. [4] |
| S1016 | MacMa | |
| S0603 | Stuxnet |
Stuxnet can propagate via peer-to-peer communication and updates using RPC.[6] |
| G0102 | Wizard Spider |
Wizard Spider has used the WebDAV protocol to execute Ryuk payloads hosted on network file shares.[7] |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| M1042 | Disable or Remove Feature or Program |
If remote services, such as the ability to make direct connections to cloud virtual machines, are not required, disable these connection types where feasible. |
| M1035 | Limit Access to Resource Over Network |
Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. |
| M1032 | Multi-factor Authentication |
Use multi-factor authentication on remote service logons where possible. |
| M1027 | Password Policies |
Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. |
| M1018 | User Account Management |
Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. |
| DS0028 | Logon Session | Logon Session Creation |
Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For example, in macOS you can review logs for "screensharingd" and "Authentication" event messages. [8][9] Note: When using Security event id 4624, %$ means user names that do not end with $ character. Usually, computer accounts or local system accounts names end with the $ character. When using Security event 4624, UserName and UserLogonId correspond to TargetUserName and TargetLogonId respectively. When using Security event 4624, LogonType 3 corresponds to a Network Logon Analytic 1 - New services being created under network logon sessions by non-system users |
| DS0011 | Module | Module Load |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes, that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. Note: On Windows, Sysmon Event ID 7 (Image loaded) can be used to monitor the loading of DLLs into processes, including those designed to accept remote connections. This is a particularly noisy event and can generate a large volume of data, so we recommend baselining and filtering out any known benign processes and module to help reduce the number of events that are produced. |
| DS0033 | Network Share | Network Share Access |
Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). |
| DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp: 3389 and tcp:22 for remote login. |
| Network Traffic Flow |
Monitor network data for uncommon data flows that may be related to abuse of Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network service protocols such as SSH and RDP. Analytic 1 - Suspicious Protocols
|
||
| DS0009 | Process | Process Creation |
Monitor for newly executed processes that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. The adversary may then perform actions that spawn additional processes as the logged-on user. Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters. Any tool of interest with commonly known command line usage can be detecting by command line analysis. Known substrings of command lines include
Analytic 1 - Suspicious Arguments
|
| DS0005 | WMI | WMI Creation |
Monitor for newly constructed WMI objects that is often used to log into a service that accepts remote connects. |