{
	"id": "fb708a4d-2e68-4fb7-812c-52efcb7a15f3",
	"created_at": "2026-04-06T02:12:24.776279Z",
	"updated_at": "2026-04-10T13:13:09.07494Z",
	"deleted_at": null,
	"sha1_hash": "672403a887a697b33438d385958973fe4abc3352",
	"title": "CAPEC-555: Remote Services with Stolen Credentials (Version 3.9)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43675,
	"plain_text": "CAPEC-555: Remote Services with Stolen Credentials (Version 3.9)\r\nArchived: 2026-04-06 01:50:09 UTC\r\nAttack Pattern ID: 555\r\nAbstraction: Standard\r\n Description\r\nThis pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet,\r\nSSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.\r\n Typical Severity\r\nVery High\r\n Relationships\r\nThis table shows the other attack patterns and high level categories that are related to this attack pattern. These\r\nrelationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels\r\nof abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack\r\npatterns that the user may want to explore.\r\nNature Type\r\nChildOf Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or techn\r\nCanPrecede Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or techn\r\nCanPrecede Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific techni\r\nThis table shows the views that this attack pattern belongs to and top level categories within that view.\r\nView Name Top Level Categories\r\nDomains of Attack Software\r\nMechanisms of Attack Subvert Access Control\r\n Mitigations\r\nDisable RDP, telnet, SSH and enable firewall rules to block such traffic. Limit users and accounts that have remote\r\ninteractive login access. Remove the Local Administrators group from the list of groups allowed to login through RDP.\r\nLimit remote user permissions. Use remote desktop gateways and multifactor authentication for remote logins.\r\n Example Instances\r\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a\r\nsystem desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote\r\nDesktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that\r\nprovide graphical access Remote Services similar to RDS. Adversaries may connect to a remote system over RDP/RDS\r\nto expand access if the service is enabled and allows access to accounts with known credentials.\r\nWindows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to\r\ninteract with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the\r\nwinrm command or by any number of programs such as PowerShell.\r\n Taxonomy Mappings\r\nhttps://capec.mitre.org/data/definitions/555.html\r\nPage 1 of 2\n\nCAPEC mappings to ATT\u0026CK techniques leverage an inheritance model to streamline and minimize direct\r\nCAPEC/ATT\u0026CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant\r\nATT\u0026CK mappings. Note that the ATT\u0026CK Enterprise Framework does not use an inheritance model as part of the\r\nmapping to CAPEC.\r\nRelevant to the ATT\u0026CK taxonomy mapping (also see parent)\r\nEntry ID Entry Name\r\n1021 Remote Services\r\n1114.002 Email Collection:Remote Email Collection\r\n1133 External Remote Services\r\n Content History\r\nSubmissions\r\nSubmission Date Submitter Organization\r\n2015-11-09\r\n(Version 2.7)\r\nCAPEC Content Team The MITRE Corporation\r\nModifications\r\nModification\r\nDate\r\nModifier Organization\r\n2018-07-31\r\n(Version 2.12)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Description Summary, Examples-Instances, References, Related_Weaknesses,\r\nTypical_Severity\r\n2020-07-30\r\n(Version 3.3)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated @Abstraction, Related_Attack_Patterns, Related_Weaknesses, Taxonomy_Mappings\r\n2022-09-29\r\n(Version 3.8)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Taxonomy_Mappings\r\nMore information is available — Please select a different filter.\r\nSource: https://capec.mitre.org/data/definitions/555.html\r\nhttps://capec.mitre.org/data/definitions/555.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://capec.mitre.org/data/definitions/555.html"
	],
	"report_names": [
		"555.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775441544,
	"ts_updated_at": 1775826789,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/672403a887a697b33438d385958973fe4abc3352.pdf",
		"text": "https://archive.orkl.eu/672403a887a697b33438d385958973fe4abc3352.txt",
		"img": "https://archive.orkl.eu/672403a887a697b33438d385958973fe4abc3352.jpg"
	}
}