T1133 External Remote Services Mappings

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.(Citation: MacOS VNC software for Remote Desktop)

Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1133 External Remote Services
AC-20 Use of External Systems Protects T1133 External Remote Services
AC-03 Access Enforcement Protects T1133 External Remote Services
AC-04 Information Flow Enforcement Protects T1133 External Remote Services
AC-06 Least Privilege Protects T1133 External Remote Services
AC-07 Unsuccessful Logon Attempts Protects T1133 External Remote Services
CM-02 Baseline Configuration Protects T1133 External Remote Services
CM-06 Configuration Settings Protects T1133 External Remote Services
CM-07 Least Functionality Protects T1133 External Remote Services
CM-08 System Component Inventory Protects T1133 External Remote Services
IA-02 Identification and Authentication (organizational Users) Protects T1133 External Remote Services
IA-05 Authenticator Management Protects T1133 External Remote Services
RA-05 Vulnerability Monitoring and Scanning Protects T1133 External Remote Services
SC-46 Cross Domain Policy Enforcement Protects T1133 External Remote Services
SC-07 Boundary Protection Protects T1133 External Remote Services
SI-04 System Monitoring Protects T1133 External Remote Services
SI-07 Software, Firmware, and Information Integrity Protects T1133 External Remote Services
PUR-PAM-E5 Privileged Access Management Technique Scores T1133 External Remote Services