Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.
Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1133 | External Remote Services | |
| AC-20 | Use of External Systems | Protects | T1133 | External Remote Services | |
| AC-03 | Access Enforcement | Protects | T1133 | External Remote Services | |
| AC-04 | Information Flow Enforcement | Protects | T1133 | External Remote Services | |
| AC-06 | Least Privilege | Protects | T1133 | External Remote Services | |
| AC-07 | Unsuccessful Logon Attempts | Protects | T1133 | External Remote Services | |
| CM-02 | Baseline Configuration | Protects | T1133 | External Remote Services | |
| CM-06 | Configuration Settings | Protects | T1133 | External Remote Services | |
| CM-07 | Least Functionality | Protects | T1133 | External Remote Services | |
| CM-08 | System Component Inventory | Protects | T1133 | External Remote Services | |
| IA-02 | Identification and Authentication (organizational Users) | Protects | T1133 | External Remote Services | |
| IA-05 | Authenticator Management | Protects | T1133 | External Remote Services | |
| RA-05 | Vulnerability Monitoring and Scanning | Protects | T1133 | External Remote Services | |
| SC-46 | Cross Domain Policy Enforcement | Protects | T1133 | External Remote Services | |
| SC-07 | Boundary Protection | Protects | T1133 | External Remote Services | |
| SI-04 | System Monitoring | Protects | T1133 | External Remote Services | |
| SI-07 | Software, Firmware, and Information Integrity | Protects | T1133 | External Remote Services | |
| PUR-PAM-E5 | Privileged Access Management | Technique Scores | T1133 | External Remote Services |
Comments
Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval).
License requirements: M365 E5 customers.
References
|