Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.
Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of privileged account management and the use of multi-factor authentication.
References
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of revocation of keys and key management. Employing key protection strategies and key management for those used in external remote services, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to access external remote services.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Denying direct remote access to internal systems to prevent adversaries from leveraging external-facing remote services to access and/or persist within a network.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversaries from leveraging externally-facing remote services to initially access and/or persist within a network.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1133 | External Remote Services |
Comments
This control's "Management ports should be closed on your virtual machines" recommendation can lead to reducing the attack surface of your Azure VMs by recommending closing management ports. Because this is a recommendation, its score is limited to Partial.
References
|
| alerts_for_azure_network_layer | Alerts for Azure Network Layer | technique_scores | T1133 | External Remote Services |
Comments
This control can potentially identify malicious use of remote services via alerts such as "Suspicious incoming RDP network activity" and "Suspicious Incoming SSH network activity".
References
|
| azure_firewall | Azure Firewall | technique_scores | T1133 | External Remote Services |
Comments
This control can limit access to external remote services to the minimum necessary.
References
|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1133 | External Remote Services |
Comments
This control can be used to restrict direct access to remote service gateways and concentrators that typically accompany external remote services. This can be circumvented though if an adversary is able to compromise a trusted host and use it to access the external remote service. This results in an overall partial (coverage) score.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1133 | External Remote Services |
Comments
This control can identify anomalous access to external remote services.
References
|
| azure_policy | Azure Policy | technique_scores | T1133 | External Remote Services |
Comments
This control may provide recommendations to secure external remote services, such as restricting SSH access, enabling multi-factor authentication for VPN access, and auditing external remote services that are not necessary or updated.
References
|
| just-in-time_vm_access | Microsoft Defender for Cloud: Just-in-Time VM Access | technique_scores | T1133 | External Remote Services |
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at utilizing external remote services, such as RDP or a VPN, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| mandiant_asm | Mandiant Attack Surface Management (ASM) | technique_scores | T1133 | External Remote Services |
Comments
Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.
References
|
| advanced_protection_program | Advanced Protection Program | technique_scores | T1133 | External Remote Services |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling MFA for remote service accounts can mitigate an adversary's ability to leverage stolen credentials since they won't have the respective security key to gain access.
References
|
| chrome_enterprise_premium | Chrome Enterprise Premium | technique_scores | T1133 | External Remote Services |
Comments
Chrome Enterprise Premium implements a zero trust model which restricts access to resources unless all rules and conditions are met. Instead of securing resources at the network-level, access controls are instead applied to individual devices and users.
References
|
| cloud_identity | Cloud Identity | technique_scores | T1133 | External Remote Services |
Comments
This control may mitigate an adversary's ability to leverage external-facing remote services through multi-factor authentication of service account credentials.
References
|
| cloud_ngfw | Cloud Next-Generation Firewall (NGFW)_ | technique_scores | T1133 | External Remote Services |
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to only allow certain remote services to be available. Furthermore, it can enforce restrictions such that remote services are only from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because while it can limit which external remote services and hosts can be used to access the network, it cannot protect against the misuse of legitimate external remote services (e.g., it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack).
References
|
| cloud_vpn | Cloud VPN | technique_scores | T1133 | External Remote Services |
Comments
This control provides protections against adversaries who try to access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations.
References
|
| security_command_center | Security Command Center | technique_scores | T1133 | External Remote Services |
Comments
SCC is able to detect attackers communicating with a compromised workload from a remote system (e.g., "reverse shell"). SCC specifically detects for stdin bound to a remote socket. Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_inspector | Amazon Inspector | technique_scores | T1133 | External Remote Services |
Comments
The Amazon Inspector Best Practices assessment package can detect a security control setting related to remote service access on Linux endpoints. Specifically, "Disable root login over SSH". This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against adversaries accessing remote services. Given Amazon Inspector can only assess this security control on Linux platforms (although it also supports Windows) and it only restricts access to remote services for one user account, the coverage score is Minimal leading to an overall Minimal score.
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1133 | External Remote Services |
Comments
VPC security groups and network access control lists (NACLs) can limit access to external remote services to the minimum necessary.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1133 | External Remote Services |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow certain remote services to be available. Futhermore, it can enforce restrictions such that remote services are only from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because while it can limit which external remote services and hosts can be used to access the network, it cannot protect against the misuse of legitimate external remote services (e.g., it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack).
References
|
| aws_single_sign-on | AWS Single Sign-On | technique_scores | T1133 | External Remote Services |
Comments
This control may protect against abuse of external remote services by requiring multi-factor authentication for single sign-on accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-ID-E5 | Microsoft Defender for Identity | Technique Scores | T1133 | External Remote Services |
Comments
This control's "Suspicious VPN connection (external ID 2025)" alert utilizes machine learning models to learn normal VPN connections for a user and detect deviations from the norm. This detection is specific to VPN traffic and therefore its overall coverage is Minimal.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1133 | External Remote Services |
Comments
This control's polices for access control can limit abuse of external facing remote services.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1133 | External Remote Services |
Comments
This control can provide logging of activity associated with potential exploitation of remote services such as anomalous geographic access.
References
|
| EID-IDSS-E3 | Identity Secure Score | Technique Scores | T1133 | External Remote Services |
Comments
This control's "Configure VPN Integration" recommendation can lead to detecting abnormal VPN connections that may be indicative of an attack. Although this control provides a recommendation that is limited to a specific external remote service type of VPN, most of this technique's procedure examples are VPN related resulting in a Partial overall score.
References
|
| PUR-PAM-E5 | Privileged Access Management | Technique Scores | T1133 | External Remote Services |
Comments
Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval).
License requirements: M365 E5 customers.
References
|