Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.
Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of privileged account management and the use of multi-factor authentication.
References
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of revocation of keys and key management. Employing key protection strategies and key management for those used in external remote services, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to access external remote services.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Denying direct remote access to internal systems to prevent adversaries from leveraging external-facing remote services to access and/or persist within a network.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversaries from leveraging externally-facing remote services to initially access and/or persist within a network.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2020-1472 | Microsoft Netlogon Privilege Escalation Vulnerability | secondary_impact | T1133 | External Remote Services |
Comments
CVE-2020-1472 is a privilege escalation vulnerability in Windows Netlogon. After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials.
References
|
| CVE-2020-1472 | Microsoft Netlogon Privilege Escalation Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access.
References
|
| CVE-2020-8515 | Multiple DrayTek Vigor Routers Web Management Page Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use.
References
|
| CVE-2024-45195 | Apache OFBiz Forced Browsing Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
Insufficient authorization checks in affected Apache OFBiz versions (before 18.12.16) allow an attacker running their own server to send POST requests that instruct the OFBiz server to fetch malicious files from the attacker's server. The attacker can then send another request that triggers the malicious files to run arbitrary code.
References
|
| CVE-2023-48365 | Qlik Sense HTTP Tunneling Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
This vulnerability stems from improper HTTP header validation, if exploited, allows for remote code execution on affected devices.
References
|
| CVE-2023-20269 | Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
This vulnerability is exploited by an unauthenticated, remote attacker by specifying a default connection profile/tunnel group, enabling a brute-force attack to identify valid credentials and establish a clienteles SSL VPN session using those valid credentials.
References
|
| CVE-2019-5591 | Fortinet FortiOS Default Configuration Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2019-5591 is a default configuration vulnerability in Fortinet's FortiOS, specifically affecting the FortiGate SSL VPN. This vulnerability allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating a Lightweight Directory Access Protocol (LDAP) server.
References
|
| CVE-2021-1498 | Cisco HyperFlex HX Data Platform Command Injection Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2021-1498 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device
References
|
| CVE-2021-1497 | Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2021-1497 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Installer Virtual Machine. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device
References
|
| CVE-2020-25506 | D-Link DNS-320 Device Command Injection Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2020-25506 is a command injection vulnerability in the D-Link DNS-320 FW v2.06B01 Revision Ax system_mgr.cgi component, which can lead to remote arbitrary code execution.
References
|
| CVE-2024-11120 | GeoVision Devices OS Command Injection Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
Specific end-of-life GeoVision IoT devices contain an insufficient input validation vulnerability that allows for unauthenticated attackers to inject arbitrary commands and execute them on the system.
References
|
| CVE-2023-39780 | ASUS RT-AX55 Routers OS Command Injection Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
Attackers have gained access to affected ASUS routers by using brute-force login attempts and authentication bypasses, allowing them to inject and execute commands to enable SSH. Additionally, they can place a backdoor in the NVRAM.
References
|
| CVE-2022-20699 | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
This vulnerability is exploited by a remote, unauthenticated attacker by "sending a specially crafted HTTP request to a vulnerable device that is acting as an SSL VPN Gateway.” This can be performed due to insufficient boundary checks when processing specific HTTP requests. If exploited, this could grant root privileges to the attacker.
References
|
| CVE-2025-32756 | Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
Attackers use a Python script (publicly available or custom) to send a malformed POST request, triggering a buffer overflow. From there, they execute remote code and malicious payloads (i.e. malware), harvest credentials, move laterally over the network, erase logs to avoid detection, and exfiltrate data over C2.
References
|
| CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability | secondary_impact | T1133 | External Remote Services |
Comments
CVE-2021-26857, part of Proxy Logon, is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
References
|
| CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
References
|
| CVE-2021-22986 | F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
The iControl REST interface has an unauthenticated remote command execution vulnerability. This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services.
References
|
| CVE-2020-5902 | F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2020-5902 is a RCE vulnerability in the Traffic Management User Interface (TMUI) that allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code.The Traffic Management User Interface (TMUI)
References
|
| CVE-2019-19781 | Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2019-19781 is exploited through directory traversal, allowing an unauthenticated attacker to execute arbitrary code on affected Citrix Netscaler Application Delivery Control (ADC).
References
|
| CVE-2019-0708 | Microsoft Remote Desktop Services Remote Code Execution Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2019-0708, also known as BlueKeep, is a remote code execution vulnerability present in the Windows Remote Desktop Services. Blue Keep can enable remote unauthenticated attackers to run arbitrary code, or conduct denial of service attacks, as well as potentially take control of vulnerable systems.
References
|
| CVE-2014-7169 | GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2014-7169 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request.
References
|
| CVE-2014-6271 | GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2014-6271 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request.
References
|
| CVE-2019-11510 | Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE 2019-11510 Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials.
References
|
| CVE-2018-4939 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | primary_impact | T1133 | External Remote Services |
Comments
As referenced in the attached report, T1133 is a known impact of this exploit.
References
|
| CVE-2023-27532 | Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2023-27532 is a vulnerability in their backup & replication servers exposed online which allows unauthenticated users to request encrypted credentials. Public reporting has indicated that various ransomware groups have exploited vulnerability to gain access and crash the backup infrastructure hosts, extract stored encrypted credentials, and deploy additional tools.
References
|
| CVE-2019-3396 | Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability | exploitation_technique | T1133 | External Remote Services |
Comments
CVE-2019-3396 is a critical server-side template injection vulnerability in Atlassian Confluence Server and Data Center that could lead to remote code execution.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1133 | External Remote Services |
Comments
This control's "Management ports should be closed on your virtual machines" recommendation can lead to reducing the attack surface of your Azure VMs by recommending closing management ports. Because this is a recommendation, its score is limited to Partial.
References
|
| alerts_for_azure_network_layer | Alerts for Azure Network Layer | technique_scores | T1133 | External Remote Services |
Comments
This control can potentially identify malicious use of remote services via alerts such as "Suspicious incoming RDP network activity" and "Suspicious Incoming SSH network activity".
References
|
| azure_firewall | Azure Firewall | technique_scores | T1133 | External Remote Services |
Comments
This control can limit access to external remote services to the minimum necessary.
References
|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1133 | External Remote Services |
Comments
This control can be used to restrict direct access to remote service gateways and concentrators that typically accompany external remote services. This can be circumvented though if an adversary is able to compromise a trusted host and use it to access the external remote service. This results in an overall partial (coverage) score.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1133 | External Remote Services |
Comments
This control can identify anomalous access to external remote services.
References
|
| azure_policy | Azure Policy | technique_scores | T1133 | External Remote Services |
Comments
This control may provide recommendations to secure external remote services, such as restricting SSH access, enabling multi-factor authentication for VPN access, and auditing external remote services that are not necessary or updated.
References
|
| just-in-time_vm_access | Microsoft Defender for Cloud: Just-in-Time VM Access | technique_scores | T1133 | External Remote Services |
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at utilizing external remote services, such as RDP or a VPN, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| mandiant_asm | Mandiant Attack Surface Management (ASM) | technique_scores | T1133 | External Remote Services |
Comments
Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.
References
|
| advanced_protection_program | Advanced Protection Program | technique_scores | T1133 | External Remote Services |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling MFA for remote service accounts can mitigate an adversary's ability to leverage stolen credentials since they won't have the respective security key to gain access.
References
|
| chrome_enterprise_premium | Chrome Enterprise Premium | technique_scores | T1133 | External Remote Services |
Comments
Chrome Enterprise Premium implements a zero trust model which restricts access to resources unless all rules and conditions are met. Instead of securing resources at the network-level, access controls are instead applied to individual devices and users.
References
|
| cloud_identity | Cloud Identity | technique_scores | T1133 | External Remote Services |
Comments
This control may mitigate an adversary's ability to leverage external-facing remote services through multi-factor authentication of service account credentials.
References
|
| cloud_ngfw | Cloud Next-Generation Firewall (NGFW)_ | technique_scores | T1133 | External Remote Services |
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to only allow certain remote services to be available. Furthermore, it can enforce restrictions such that remote services are only from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because while it can limit which external remote services and hosts can be used to access the network, it cannot protect against the misuse of legitimate external remote services (e.g., it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack).
References
|
| cloud_vpn | Cloud VPN | technique_scores | T1133 | External Remote Services |
Comments
This control provides protections against adversaries who try to access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations.
References
|
| security_command_center | Security Command Center | technique_scores | T1133 | External Remote Services |
Comments
SCC is able to detect attackers communicating with a compromised workload from a remote system (e.g., "reverse shell"). SCC specifically detects for stdin bound to a remote socket. Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_inspector | Amazon Inspector | technique_scores | T1133 | External Remote Services |
Comments
The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, "Disable root login over SSH". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows) and it only restricts access to remote services for one user account, the coverage score is Minimal leading to an overall Minimal score.
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1133 | External Remote Services |
Comments
VPC security groups and network access control lists (NACLs) can limit access to external remote services to the minimum necessary.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1133 | External Remote Services |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow certain remote services to be available. Futhermore, it can enforce restrictions such that remote services are only from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because while it can limit which external remote services and hosts can be used to access the network, it cannot protect against the misuse of legitimate external remote services (e.g., it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack).
References
|
| aws_single_sign-on | AWS Single Sign-On | technique_scores | T1133 | External Remote Services |
Comments
This control may protect against abuse of external remote services by requiring multi-factor authentication for single sign-on accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-ID-E5 | Microsoft Defender for Identity | Technique Scores | T1133 | External Remote Services |
Comments
This control's "Suspicious VPN connection (external ID 2025)" alert utilizes machine learning models to learn normal VPN connections for a user and detect deviations from the norm. This detection is specific to VPN traffic and therefore its overall coverage is Minimal.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1133 | External Remote Services |
Comments
This control's polices for access control can limit abuse of external facing remote services.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1133 | External Remote Services |
Comments
This control can provide logging of activity associated with potential exploitation of remote services such as anomalous geographic access.
References
|
| EID-IDSS-E3 | Identity Secure Score | Technique Scores | T1133 | External Remote Services |
Comments
This control's "Configure VPN Integration" recommendation can lead to detecting abnormal VPN connections that may be indicative of an attack. Although this control provides a recommendation that is limited to a specific external remote service type of VPN, most of this technique's procedure examples are VPN related resulting in a Partial overall score.
References
|
| PUR-PAM-E5 | Privileged Access Management | Technique Scores | T1133 | External Remote Services |
Comments
Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval).
License requirements: M365 E5 customers.
References
|