Remote Terminal Sessions¶
An adversary may use Valid Accounts to log into a service specifically designed to accept remote connections.
id: | 5c310aff-d4a8-43fb-beed-b17dab1f1df0 |
---|---|
categories: | enrich |
confidence: | low |
os: | windows, macos, linux |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Lateral Movement |
---|---|
techniques: | T1021 Remote Services |
Query¶
process where subtype.create and
process_name in ("telnet.exe", "putty.exe", "ssh")
| unique_count parent_process_name, command_line