Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.
Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Backdoor | Hacking action that creates a backdoor for use. | related-to | T1133 | External Remote Services | |
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1133 | External Remote Services | |
| action.hacking.vector.3rd party desktop | 3rd party online desktop sharing (LogMeIn, Go2Assist) | related-to | T1133 | External Remote Services | |
| action.hacking.vector.Backdoor | Hacking actions taken through a backdoor. C2 is only used by malware. | related-to | T1133 | External Remote Services | |
| action.hacking.vector.Desktop sharing software | Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two | related-to | T1133 | External Remote Services | |
| action.hacking.vector.VPN | VPN | related-to | T1133 | External Remote Services | |
| action.malware.variety.Backdoor | Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. | related-to | T1133 | External Remote Services | |
| action.malware.variety.Backdoor or C2 | Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. | related-to | T1133 | External Remote Services | |
| action.malware.vector.Remote injection | Remotely injected by agent (i.e. via SQLi) | related-to | T1133 | External Remote Services | |
| action.malware.vector.Web application | Web application. Parent of 'Web application - download' and 'Web application - drive-by. | related-to | T1133 | External Remote Services | |
| amazon_inspector | Amazon Inspector | technique_scores | T1133 | External Remote Services |
Comments
The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, "Disable root login over SSH". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows) and it only restricts access to remote services for one user account, the coverage score is Minimal leading to an overall Minimal score.
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1133 | External Remote Services |
Comments
VPC security groups and network access control lists (NACLs) can limit access to external remote services to the minimum necessary.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1133 | External Remote Services |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow certain remote services to be available. Futhermore, it can enforce restrictions such that remote services are only from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because while it can limit which external remote services and hosts can be used to access the network, it cannot protect against the misuse of legitimate external remote services (e.g., it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack).
References
|
| aws_single_sign-on | AWS Single Sign-On | technique_scores | T1133 | External Remote Services |
Comments
This control may protect against abuse of external remote services by requiring multi-factor authentication for single sign-on accounts.
References
|