Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.
Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| beyondcorp_enterprise | BeyondCorp Enterprise | technique_scores | T1133 | External Remote Services |
Comments
Implementing BeyondCorp Enterprise enacts a zero trust model. No one can access your resources unless they meet all the rules and conditions. Instead of securing your resources at the network-level, access controls are instead applied to individual devices and users.
References
|
| cloud_identity | Cloud Identity | technique_scores | T1133 | External Remote Services |
|
| cloudvpn | CloudVPN | technique_scores | T1133 | External Remote Services |
Comments
This control provides protections against adversaries who try to access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations.
References
|
| firewalls | Firewalls | technique_scores | T1133 | External Remote Services |
Comments
Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to only allow certain remote services to be available. Furthermore, it can enforce restrictions such that remote services are only from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because while it can limit which external remote services and hosts can be used to access the network, it cannot protect against the misuse of legitimate external remote services (e.g., it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack).
References
|
| security_command_center | Security Command Center | technique_scores | T1133 | External Remote Services |
Comments
SCC is able to detect attackers communicating with a compromised workload from a remote system (e.g., "reverse shell"). SCC specifically detects for stdin bound to a remote socket. Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.
References
|
| advancedprotectionprogram | AdvancedProtectionProgram | technique_scores | T1133 | External Remote Services |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling MFA for remote service accounts can mitigate an adversary's ability to leverage stolen credentials since they won't have the respective security key to gain access.
References
|