Add T1021 "Remote Services" MITRE technique and sub-technique references #20560
Conversation
| inject_request(cookie, token, 'rm -rf /a') | ||
| inject_request(cookie, token, 'rm -rf b') |
There was a problem hiding this comment.
Rubocop was not happy with this...
cdelafuente-r7
force-pushed
the
feat/mitre/T1021
branch
from
6717c16 to
150dd43
Compare
|
Based on reading the ATTA&K docs, we're looking for modules that use an account on a remote service to steal/manipulate/add. That said, this PR includes:
I'm unclear as to why those are included, but
|
|
I also see that |
|
Hi Brendan, thank you for looking into this. I agree there are some missing modules there. I need to update my scripts since I just realized some techniques were not properly included. |
|
It might be worth it to do a scan of all documentation that gives the value for username and then check if the module contains the HTTP::Client, SMB::Client, or other remote-based client library. Based on the MITRE docs, if we're logging in, were using this technique, I assume? |
| ['URL', 'https://en.wikipedia.org/wiki/SMBRelay'], | ||
| ['URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx'] | ||
| ['URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx'], | ||
| ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES] |
There was a problem hiding this comment.
Question: Should we be manually adding the parent T1021_REMOTE_SERVICES here explicitly, or should we be wiring that up behind the scenes implicitly? 🤔
| ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES] | |
| ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES], | |
| ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES] |
The reason being, whether or not we should be showing T1021_REMOTE_SERVICES in Pro's UI or in the info command by default
There was a problem hiding this comment.
If we want to go with the implicit approach, then it'd make sense to ignore any related code changes to this PR and create a separate ticket 👍
Or happy to ignore entirely (Spencer's preference) 🥳
There was a problem hiding this comment.
In answer to this, see exploits/linux/misc/igel_command_injection
It works through either telnet or VNC. VNC has a special subclause, but telnet does not. The only way to express both is with the overarching technique and the sub-technique. It might be useful to keep them separate so that you can see both?
| ['CVE', '2018-5999'], | ||
| ['CVE', '2018-6000'] | ||
| ['CVE', '2018-6000'], | ||
| ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] |
There was a problem hiding this comment.
This module does not use an account; it uses a special POST requesto to place the router in command mode, then sends a UDP packet instructing the router to start a telnet server serving bash.
| ['URL', 'https://www.postgresql.org/support/security/CVE-2025-1094/'], # PostgreSQL Advisory | ||
| ['URL', 'https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis'] # Rapid7 Analysis | ||
| ['URL', 'https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis'], # Rapid7 Analysis | ||
| ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] |
There was a problem hiding this comment.
I do not see anywhere in this module where we are using an authenticated account?
| ['URL', 'https://en.wikipedia.org/wiki/SMBRelay'], | ||
| ['URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx'] | ||
| ['URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx'], | ||
| ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES] |
There was a problem hiding this comment.
In answer to this, see exploits/linux/misc/igel_command_injection
It works through either telnet or VNC. VNC has a special subclause, but telnet does not. The only way to express both is with the overarching technique and the sub-technique. It might be useful to keep them separate so that you can see both?
| [ 'URL', 'https://kb.igel.com/securitysafety/en/isn-2021-01-igel-os-remote-command-execution-vulnerability-41449239.html' ], | ||
| [ 'URL', 'https://www.igel.com/wp-content/uploads/2021/02/lxos_11.04.270.txt' ] | ||
| [ 'URL', 'https://www.igel.com/wp-content/uploads/2021/02/lxos_11.04.270.txt' ], | ||
| [ 'ATT&CK', Mitre::Attack::Technique::T1021_005_VNC ] |
There was a problem hiding this comment.
I don't see anywhere we are authenticating in this module?
| ['URL', 'https://platformsecurity.com/blog/CVE-2025-32433-poc'], | ||
| ['URL', 'https://github.com/ProDefense/CVE-2025-32433'] | ||
| ['URL', 'https://github.com/ProDefense/CVE-2025-32433'], | ||
| ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] |
There was a problem hiding this comment.
I don't see where this is authenticating
| } | ||
| }, | ||
| 'References' => [ | ||
| [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] |
There was a problem hiding this comment.
Also retrieves passwords
| } | ||
| }, | ||
| 'References' => [ | ||
| [ 'ATT&CK', Mitre::Attack::Technique::T1021_001_REMOTE_DESKTOP_PROTOCOL ] |
There was a problem hiding this comment.
This just enables RDP, it does not authenticate.
| ['URL', 'https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview'], | ||
| ['URL', 'https://github.com/PowerShell/openssh-portable'] | ||
| ['URL', 'https://github.com/PowerShell/openssh-portable'], | ||
| ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] |
There was a problem hiding this comment.
I don't think installing ssh counts?
| 'References' => [ | ||
| [ 'URL', 'https://www.youtube.com/watch?v=vdppEZjMPCM&hd=1' ] | ||
| [ 'URL', 'https://www.youtube.com/watch?v=vdppEZjMPCM&hd=1' ], | ||
| [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] |
There was a problem hiding this comment.
This seems to be sort of a VNC relay attack, it might be better to use the VNC sub-category?
| } | ||
| }, | ||
| 'References' => [ | ||
| [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] |
There was a problem hiding this comment.
This just adds an ssh key; it does not log in.
This adds the reference to MITRE ATT&CK technique T1021 "Remote Services" and its sub-techniques. (see https://attack.mitre.org/techniques/T1021/ for details).
This has been mainly done with the help of AI and local scripts. The process was as follows: