T1133 External Remote Services Mappings

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.(Citation: MacOS VNC software for Remote Desktop)

Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
beyondcorp_enterprise BeyondCorp Enterprise technique_scores T1133 External Remote Services
cloud_identity Cloud Identity technique_scores T1133 External Remote Services
cloudvpn CloudVPN technique_scores T1133 External Remote Services
firewalls Firewalls technique_scores T1133 External Remote Services
security_command_center Security Command Center technique_scores T1133 External Remote Services
advancedprotectionprogram AdvancedProtectionProgram technique_scores T1133 External Remote Services