CAPEC-555 Remote Services with Stolen Credentials

CAPEC ID: 555

CAPEC-555 Metadata

Likelihood of Attack

Medium

Typical Severity

Very High

Overview

Summary

This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.

Prerequisites

No prerequisites listed.

Potential Solutions / Mitigations

Disable RDP, telnet, SSH and enable firewall rules to block such traffic. Limit users and accounts that have remote interactive login access. Remove the Local Administrators group from the list of groups allowed to login through RDP. Limit remote user permissions. Use remote desktop gateways and multifactor authentication for remote logins.

Related Weaknesses (CWE)

CWE ID Description
CWE-262 Not Using Password Aging
CWE-263 Password Aging with Long Expiration
CWE-294 Authentication Bypass by Capture-replay
CWE-308 Use of Single-factor Authentication
CWE-309 Use of Password System for Primary Authentication
CWE-521 Weak Password Requirements
CWE-522 Insufficiently Protected Credentials

Related CAPECs

CAPEC ID Description
CAPEC-151 Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-560 An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID Entry Name
1021 Remote Services
1114.002 Email Collection:Remote Email Collection
1133 External Remote Services

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.