T1133 External Remote Services

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.(Citation: MacOS VNC software for Remote Desktop)

Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1133 External Remote Services
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.IR-01.06 Production environment segregation Mitigates T1133 External Remote Services
    Comments
    This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
    References
      PR.AA-05.02 Privileged system access Mitigates T1133 External Remote Services
      Comments
      This diagnostic statement protects against External Remote Services through the use of privileged account management and the use of multi-factor authentication.
      References
        PR.AA-05.01 Access privilege limitation Mitigates T1133 External Remote Services
        Comments
        This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.
        References
          PR.PS-01.07 Cryptographic keys and certificates Mitigates T1133 External Remote Services
          Comments
          This diagnostic statement protects against External Remote Services through the use of revocation of keys and key management. Employing key protection strategies and key management for those used in external remote services, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to access external remote services.
          References
            PR.AA-03.01 Authentication requirements Mitigates T1133 External Remote Services
            Comments
            This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
            References
              PR.IR-01.01 Network segmentation Mitigates T1133 External Remote Services
              Comments
              This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Denying direct remote access to internal systems to prevent adversaries from leveraging external-facing remote services to access and/or persist within a network.
              References
                PR.IR-04.01 Utilization monitoring Mitigates T1133 External Remote Services
                Comments
                This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
                References
                  PR.IR-01.02 Network device configurations Mitigates T1133 External Remote Services
                  Comments
                  This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversaries from leveraging externally-facing remote services to initially access and/or persist within a network.
                  References
                    PR.IR-01.03 Network communications integrity and availability Mitigates T1133 External Remote Services
                    Comments
                    This diagnostic statement protects against External Remote Services through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
                    References
                      PR.AA-01.01 Identity and credential management Mitigates T1133 External Remote Services
                      Comments
                      This diagnostic statement protects against External Remote Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                      References
                        PR.PS-01.08 End-user device protection Mitigates T1133 External Remote Services
                        Comments
                        This diagnostic statement protects against External Remote Services through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
                        References

                          NIST 800-53 Mappings

                          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                          CM-06 Configuration Settings mitigates T1133 External Remote Services
                          IA-05 Authenticator Management mitigates T1133 External Remote Services
                          AC-17 Remote Access mitigates T1133 External Remote Services
                          RA-05 Vulnerability Monitoring and Scanning mitigates T1133 External Remote Services
                          CM-08 System Component Inventory mitigates T1133 External Remote Services
                          SC-46 Cross Domain Policy Enforcement mitigates T1133 External Remote Services
                          SI-07 Software, Firmware, and Information Integrity mitigates T1133 External Remote Services
                          AC-20 Use of External Systems mitigates T1133 External Remote Services
                          CM-02 Baseline Configuration mitigates T1133 External Remote Services
                          IA-02 Identification and Authentication (Organizational Users) mitigates T1133 External Remote Services
                          CM-07 Least Functionality mitigates T1133 External Remote Services
                          SI-04 System Monitoring mitigates T1133 External Remote Services
                          AC-03 Access Enforcement mitigates T1133 External Remote Services
                          AC-04 Information Flow Enforcement mitigates T1133 External Remote Services
                          AC-06 Least Privilege mitigates T1133 External Remote Services
                          AC-07 Unsuccessful Logon Attempts mitigates T1133 External Remote Services
                          SC-07 Boundary Protection mitigates T1133 External Remote Services

                          Known Exploited Vulnerabilities Mappings

                          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                          CVE-2020-1472 Microsoft Netlogon Privilege Escalation Vulnerability secondary_impact T1133 External Remote Services
                          Comments
                          CVE-2020-1472 is a privilege escalation vulnerability in Windows Netlogon. After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials.
                          References
                          CVE-2020-1472 Microsoft Netlogon Privilege Escalation Vulnerability exploitation_technique T1133 External Remote Services
                          CVE-2020-8515 Multiple DrayTek Vigor Routers Web Management Page Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use.
                          References
                          CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          Insufficient authorization checks in affected Apache OFBiz versions (before 18.12.16) allow an attacker running their own server to send POST requests that instruct the OFBiz server to fetch malicious files from the attacker's server. The attacker can then send another request that triggers the malicious files to run arbitrary code.
                          References
                          CVE-2023-48365 Qlik Sense HTTP Tunneling Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          This vulnerability stems from improper HTTP header validation, if exploited, allows for remote code execution on affected devices.
                          References
                          CVE-2023-20269 Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          This vulnerability is exploited by an unauthenticated, remote attacker by specifying a default connection profile/tunnel group, enabling a brute-force attack to identify valid credentials and establish a clienteles SSL VPN session using those valid credentials.
                          References
                          CVE-2019-5591 Fortinet FortiOS Default Configuration Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          CVE-2019-5591 is a default configuration vulnerability in Fortinet's FortiOS, specifically affecting the FortiGate SSL VPN. This vulnerability allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating a Lightweight Directory Access Protocol (LDAP) server.
                          References
                          CVE-2021-1498 Cisco HyperFlex HX Data Platform Command Injection Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          CVE-2021-1498 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device
                          References
                          CVE-2021-1497 Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          CVE-2021-1497 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Installer Virtual Machine. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device
                          References
                          CVE-2020-25506 D-Link DNS-320 Device Command Injection Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          CVE-2020-25506 is a command injection vulnerability in the D-Link DNS-320 FW v2.06B01 Revision Ax system_mgr.cgi component, which can lead to remote arbitrary code execution.
                          References
                          CVE-2024-11120 GeoVision Devices OS Command Injection Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          Specific end-of-life GeoVision IoT devices contain an insufficient input validation vulnerability that allows for unauthenticated attackers to inject arbitrary commands and execute them on the system.
                          References
                          CVE-2023-39780 ASUS RT-AX55 Routers OS Command Injection Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          Attackers have gained access to affected ASUS routers by using brute-force login attempts and authentication bypasses, allowing them to inject and execute commands to enable SSH. Additionally, they can place a backdoor in the NVRAM.
                          References
                          CVE-2022-20699 Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          This vulnerability is exploited by a remote, unauthenticated attacker by "sending a specially crafted HTTP request to a vulnerable device that is acting as an SSL VPN Gateway.” This can be performed due to insufficient boundary checks when processing specific HTTP requests. If exploited, this could grant root privileges to the attacker.
                          References
                          CVE-2025-32756 Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          Attackers use a Python script (publicly available or custom) to send a malformed POST request, triggering a buffer overflow. From there, they execute remote code and malicious payloads (i.e. malware), harvest credentials, move laterally over the network, erase logs to avoid detection, and exfiltrate data over C2.
                          References
                          CVE-2021-26857 Microsoft Exchange Server Remote Code Execution Vulnerability secondary_impact T1133 External Remote Services
                          Comments
                          CVE-2021-26857, part of Proxy Logon, is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
                          References
                          CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
                          References
                          CVE-2021-22986 F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          The iControl REST interface has an unauthenticated remote command execution vulnerability. This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services.
                          References
                          CVE-2020-5902 F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          CVE-2020-5902 is a RCE vulnerability in the Traffic Management User Interface (TMUI) that allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code.The Traffic Management User Interface (TMUI)
                          References
                          CVE-2019-19781 Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          CVE-2019-19781 is exploited through directory traversal, allowing an unauthenticated attacker to execute arbitrary code on affected Citrix Netscaler Application Delivery Control (ADC).
                          References
                          CVE-2019-0708 Microsoft Remote Desktop Services Remote Code Execution Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          CVE-2019-0708, also known as BlueKeep, is a remote code execution vulnerability present in the Windows Remote Desktop Services. Blue Keep can enable remote unauthenticated attackers to run arbitrary code, or conduct denial of service attacks, as well as potentially take control of vulnerable systems.
                          References
                          CVE-2014-7169 GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          CVE-2014-7169 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request.
                          References
                          CVE-2014-6271 GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          CVE-2014-6271 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request.
                          References
                          CVE-2019-11510 Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          CVE 2019-11510 Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials.
                          References
                          CVE-2018-4939 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability primary_impact T1133 External Remote Services
                          CVE-2023-27532 Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          CVE-2023-27532 is a vulnerability in their backup & replication servers exposed online which allows unauthenticated users to request encrypted credentials. Public reporting has indicated that various ransomware groups have exploited vulnerability to gain access and crash the backup infrastructure hosts, extract stored encrypted credentials, and deploy additional tools.
                          References
                          CVE-2019-3396 Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability exploitation_technique T1133 External Remote Services
                          Comments
                          CVE-2019-3396 is a critical server-side template injection vulnerability in Atlassian Confluence Server and Data Center that could lead to remote code execution.
                          References

                          VERIS Mappings

                          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                          action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1133 External Remote Services
                          action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1133 External Remote Services
                          action.hacking.vector.3rd party desktop 3rd party online desktop sharing (LogMeIn, Go2Assist) related-to T1133 External Remote Services
                          action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1133 External Remote Services
                          action.hacking.vector.Desktop sharing software Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two related-to T1133 External Remote Services
                          action.hacking.vector.VPN VPN related-to T1133 External Remote Services
                          action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1133 External Remote Services
                          action.malware.vector.Remote injection Remotely injected by agent (i.e. via SQLi) related-to T1133 External Remote Services
                          action.malware.vector.Web application Web application. Parent of 'Web application - download' and 'Web application - drive-by. related-to T1133 External Remote Services

                          Azure Mappings

                          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                          ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations technique_scores T1133 External Remote Services
                          Comments
                          This control's "Management ports should be closed on your virtual machines" recommendation can lead to reducing the attack surface of your Azure VMs by recommending closing management ports. Because this is a recommendation, its score is limited to Partial.
                          References
                          alerts_for_azure_network_layer Alerts for Azure Network Layer technique_scores T1133 External Remote Services
                          Comments
                          This control can potentially identify malicious use of remote services via alerts such as "Suspicious incoming RDP network activity" and "Suspicious Incoming SSH network activity".
                          References
                          azure_firewall Azure Firewall technique_scores T1133 External Remote Services
                          Comments
                          This control can limit access to external remote services to the minimum necessary.
                          References
                          azure_network_security_groups Azure Network Security Groups technique_scores T1133 External Remote Services
                          Comments
                          This control can be used to restrict direct access to remote service gateways and concentrators that typically accompany external remote services. This can be circumvented though if an adversary is able to compromise a trusted host and use it to access the external remote service. This results in an overall partial (coverage) score.
                          References
                          azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1133 External Remote Services
                          Comments
                          This control can identify anomalous access to external remote services.
                          References
                          azure_policy Azure Policy technique_scores T1133 External Remote Services
                          Comments
                          This control may provide recommendations to secure external remote services, such as restricting SSH access, enabling multi-factor authentication for VPN access, and auditing external remote services that are not necessary or updated.
                          References
                          just-in-time_vm_access Microsoft Defender for Cloud: Just-in-Time VM Access technique_scores T1133 External Remote Services
                          Comments
                          This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at utilizing external remote services, such as RDP or a VPN, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
                          References

                          GCP Mappings

                          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                          mandiant_asm Mandiant Attack Surface Management (ASM) technique_scores T1133 External Remote Services
                          Comments
                          Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.
                          References
                          advanced_protection_program Advanced Protection Program technique_scores T1133 External Remote Services
                          Comments
                          Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling MFA for remote service accounts can mitigate an adversary's ability to leverage stolen credentials since they won't have the respective security key to gain access.
                          References
                          chrome_enterprise_premium Chrome Enterprise Premium technique_scores T1133 External Remote Services
                          Comments
                          Chrome Enterprise Premium implements a zero trust model which restricts access to resources unless all rules and conditions are met. Instead of securing resources at the network-level, access controls are instead applied to individual devices and users.
                          References
                          cloud_identity Cloud Identity technique_scores T1133 External Remote Services
                          Comments
                          This control may mitigate an adversary's ability to leverage external-facing remote services through multi-factor authentication of service account credentials.
                          References
                          cloud_ngfw Cloud Next-Generation Firewall (NGFW)_ technique_scores T1133 External Remote Services
                          Comments
                          Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to only allow certain remote services to be available. Furthermore, it can enforce restrictions such that remote services are only from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because while it can limit which external remote services and hosts can be used to access the network, it cannot protect against the misuse of legitimate external remote services (e.g., it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack).
                          References
                          cloud_vpn Cloud VPN technique_scores T1133 External Remote Services
                          Comments
                          This control provides protections against adversaries who try to access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations.
                          References
                          security_command_center Security Command Center technique_scores T1133 External Remote Services
                          Comments
                          SCC is able to detect attackers communicating with a compromised workload from a remote system (e.g., "reverse shell"). SCC specifically detects for stdin bound to a remote socket. Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.
                          References

                          AWS Mappings

                          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                          amazon_inspector Amazon Inspector technique_scores T1133 External Remote Services
                          Comments
                          The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, "Disable root login over SSH". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows) and it only restricts access to remote services for one user account, the coverage score is Minimal leading to an overall Minimal score.
                          References
                          amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1133 External Remote Services
                          Comments
                          VPC security groups and network access control lists (NACLs) can limit access to external remote services to the minimum necessary.
                          References
                          aws_network_firewall AWS Network Firewall technique_scores T1133 External Remote Services
                          Comments
                          AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow certain remote services to be available. Futhermore, it can enforce restrictions such that remote services are only from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because while it can limit which external remote services and hosts can be used to access the network, it cannot protect against the misuse of legitimate external remote services (e.g., it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack).
                          References
                          aws_single_sign-on AWS Single Sign-On technique_scores T1133 External Remote Services
                          Comments
                          This control may protect against abuse of external remote services by requiring multi-factor authentication for single sign-on accounts.
                          References

                          M365 Mappings

                          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                          DEF-ID-E5 Microsoft Defender for Identity Technique Scores T1133 External Remote Services
                          Comments
                          This control's "Suspicious VPN connection (external ID 2025)" alert utilizes machine learning models to learn normal VPN connections for a user and detect deviations from the norm. This detection is specific to VPN traffic and therefore its overall coverage is Minimal.
                          References
                          DEF-CAPP-E5 Defender for Cloud Apps Technique Scores T1133 External Remote Services
                          DEF-CAPP-E5 Defender for Cloud Apps Technique Scores T1133 External Remote Services
                          Comments
                          This control can provide logging of activity associated with potential exploitation of remote services such as anomalous geographic access.
                          References
                          EID-IDSS-E3 Identity Secure Score Technique Scores T1133 External Remote Services
                          Comments
                          This control's "Configure VPN Integration" recommendation can lead to detecting abnormal VPN connections that may be indicative of an attack. Although this control provides a recommendation that is limited to a specific external remote service type of VPN, most of this technique's procedure examples are VPN related resulting in a Partial overall score.
                          References
                          PUR-PAM-E5 Privileged Access Management Technique Scores T1133 External Remote Services
                          Comments
                          Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). License requirements: M365 E5 customers.
                          References