Home
ATT&CK Techniques
T1133 External Remote Services

T1133 External Remote Services Mappings

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.(Citation: MacOS VNC software for Remote Desktop)

Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)

View in MITRE ATT&CK®

Known Exploited Vulnerabilities Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
CVE-2014-7169	GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE-2014-7169 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request. References http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
CVE-2014-6271	GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE-2014-6271 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request. References https://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
CVE-2020-1472	Microsoft Netlogon Privilege Escalation Vulnerability	secondary_impact	T1133	External Remote Services	Comments CVE-2020-1472 is a privilege escalation vulnerability in Windows Netlogon. After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. References https://cisa.gov/news-events/cybersecurity-advisories/aa20-283a
CVE-2021-26857	Microsoft Exchange Server Remote Code Execution Vulnerability	secondary_impact	T1133	External Remote Services	Comments CVE-2021-26857, part of Proxy Logon, is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit. References https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
CVE-2021-26855	Microsoft Exchange Server Remote Code Execution Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information. References https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a
CVE-2020-5902	F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE-2020-5902 is a RCE vulnerability in the Traffic Management User Interface (TMUI) that allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code.The Traffic Management User Interface (TMUI) References https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a
CVE-2019-11510	Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE 2019-11510 Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials. References https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-110a https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a
CVE-2019-19781	Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE-2019-19781 is exploited through directory traversal, allowing an unauthenticated attacker to execute arbitrary code on affected Citrix Netscaler Application Delivery Control (ADC). References https://www.ic3.gov/CSA/2021/210426.pdf https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a
CVE-2018-4939	Adobe ColdFusion Deserialization of Untrusted Data Vulnerability	primary_impact	T1133	External Remote Services	Comments As referenced in the attached report, T1133 is a known impact of this exploit. References https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
CVE-2021-1498	Cisco HyperFlex HX Data Platform Command Injection Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE-2021-1498 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device References https://blog.checkpoint.com/2022/10/13/nsa-cisa-fbi-alert-on-top-cves-actively-exploited-by-peoples-republic-of-china-state-sponsored-cyber-actors-check-point-customers-remain-fully-protected/ https://www.rapid7.com/db/vulnerabilities/cisco-hyperflex-hx-cisco-sa-hyperflex-rce-tjjnrkpr/
CVE-2021-1497	Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE-2021-1497 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Installer Virtual Machine. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device References https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-279a https://www.rapid7.com/db/vulnerabilities/cisco-hyperflex-hx-cisco-sa-hyperflex-rce-tjjnrkpr/
CVE-2019-3396	Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE-2019-3396 is a critical server-side template injection vulnerability in Atlassian Confluence Server and Data Center that could lead to remote code execution. References https://cloud.google.com/blog/topics/threat-intelligence/game-over-detecting-and-stopping-an-apt41-operation/ https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a
CVE-2019-5591	Fortinet FortiOS Default Configuration Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE-2019-5591 is a default configuration vulnerability in Fortinet's FortiOS, specifically affecting the FortiGate SSL VPN. This vulnerability allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating a Lightweight Directory Access Protocol (LDAP) server. References https://www.cisa.gov/news-events/alerts/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios-vulnerabilities
CVE-2020-8515	Multiple DrayTek Vigor Routers Web Management Page Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use. References https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/ https://thehackernews.com/2020/03/draytek-network-hacking.html
CVE-2020-25506	D-Link DNS-320 Device Command Injection Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE-2020-25506 is a command injection vulnerability in the D-Link DNS-320 FW v2.06B01 Revision Ax system_mgr.cgi component, which can lead to remote arbitrary code execution. References https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/ https://thehackernews.com/2021/03/new-mirai-variant-and-zhtrap-botnet.html
CVE-2021-22986	F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability	exploitation_technique	T1133	External Remote Services	Comments The iControl REST interface has an unauthenticated remote command execution vulnerability. This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. References https://github.com/Al1ex/CVE-2021-22986 https://www.jpcert.or.jp/english/at/2021/at210014.html https://my.f5.com/manage/s/article/K03009991
CVE-2020-1472	Microsoft Netlogon Privilege Escalation Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. References https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-opportunistic-rhysida-ransomware-attacks/ https://therecord.media/cisa-cuba-ransomware-group-has-stolen-60-million-from-at-least-100-organizations https://msrc.microsoft.com/blog/2020/10/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/ https://www.cisa.gov/news-events/alerts/2020/09/24/unpatched-domain-controllers-remain-vulnerable-netlogon-vulnerability#:~:text=The%20Cybersecurity%20and%20Infrastructure%20Security,and%20obtain%20domain%20administrator%20access.
CVE-2019-0708	Microsoft Remote Desktop Services Remote Code Execution Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE-2019-0708, also known as BlueKeep, is a remote code execution vulnerability present in the Windows Remote Desktop Services. Blue Keep can enable remote unauthenticated attackers to run arbitrary code, or conduct denial of service attacks, as well as potentially take control of vulnerable systems. References https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a https://www.bleepingcomputer.com/news/security/bluekeep-scanner-discovered-in-watchbog-cryptomining-malware/
CVE-2023-20269	Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability	exploitation_technique	T1133	External Remote Services	Comments This vulnerability is exploited by an unauthenticated, remote attacker by specifying a default connection profile/tunnel group, enabling a brute-force attack to identify valid credentials and establish a clienteles SSL VPN session using those valid credentials. References https://www.kroll.com/en/insights/publications/cyber/akira-ransomware-deep-dive https://blogs.cisco.com/security/akira-ransomware-targeting-vpns-without-multi-factor-authentication https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC
CVE-2022-20699	Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability	exploitation_technique	T1133	External Remote Services	Comments This vulnerability is exploited by a remote, unauthenticated attacker by "sending a specially crafted HTTP request to a vulnerable device that is acting as an SSL VPN Gateway.” This can be performed due to insufficient boundary checks when processing specific HTTP requests. If exploited, this could grant root privileges to the attacker. References https://www.tenable.com/blog/cve-2022-20699-cve-2022-20700-cve-2022-20708-critical-flaws-in-cisco-small-business-rv-series https://www.zerodayinitiative.com/advisories/ZDI-22-414/ https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D
CVE-2023-27532	Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability	exploitation_technique	T1133	External Remote Services	Comments CVE-2023-27532 is a vulnerability in their backup & replication servers exposed online which allows unauthenticated users to request encrypted credentials. Public reporting has indicated that various ransomware groups have exploited vulnerability to gain access and crash the backup infrastructure hosts, extract stored encrypted credentials, and deploy additional tools. References https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/ https://www.securityweek.com/year-old-veeam-vulnerability-exploited-in-fresh-ransomware-attacks/ https://www.group-ib.com/blog/estate-ransomware/