Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Discovery or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.
There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169)
Depending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement protects against Exploitation of Remote Services through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement protects against Exploitation of Remote Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
References
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can mitigate exploitation of remote services.
References
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.
References
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1210 | Exploitation of Remote Services |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1210 | Exploitation of Remote Services |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of unpatched vulnerabilities of your virtualized technologies.
References
|
| PR.AA-05.03 | Service accounts | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize permissions and access for service accounts to limit impact of exploitation.
References
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring the use of vulnerability scanning of third-party application development to scan for common vulnerabilities like SQL injection or cross-site scripting (XSS), including the use of regular scans post major changes to identify newly introduced vulnerabilities.
References
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Segmenting externally facing networks and systems appropriately to mitigate exploitation of remote services.
References
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1210 | Exploitation of Remote Services |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1210 | Exploitation of Remote Services |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1210 | Exploitation of Remote Services |
Comments
This control can be used to restrict access to remote services to minimum necessary.
References
|
| azure_policy | Azure Policy | technique_scores | T1210 | Exploitation of Remote Services |
Comments
This control may provide recommendations to enable Azure security controls to harden remote services and reduce surface area for possible exploitation.
References
|
| azure_update_manager | Azure Update Manager | technique_scores | T1210 | Exploitation of Remote Services |
Comments
This control provides significant coverage of techniques that leverage vulnerabilities in unpatched remote services since it enables automated updates of software and rapid configuration change management.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1210 | Exploitation of Remote Services |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected to exploit a vulnerability in an exposed service. Detection is periodic at an unknown rate.
References
|
| vulnerability_management | Microsoft Defender for Cloud: Vulnerability Management | technique_scores | T1210 | Exploitation of Remote Services |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| artifact_analysis | Artifact Analysis | technique_scores | T1210 | Exploitation of Remote Services |
Comments
Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in various Linux OS packages. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and is not effective against zero day attacks, vulnerabilities with no available patch, and other end-of-life packages.
References
|
| google_secops | Google Security Operations | technique_scores | T1210 | Exploitation of Remote Services |
Comments
Google Security Ops is able to trigger an alert based on suspicious system events IDs (e.g., anonymous users changing machine passwords).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/security/anonymous_user_changed_machine_password.yaral
References
|
| vm_manager | VM Manager | technique_scores | T1210 | Exploitation of Remote Services |
Comments
VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_inspector | Amazon Inspector | technique_scores | T1210 | Exploitation of Remote Services |
Comments
Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess a security control "Support SSH version 2 only" that prevents the use of a vulnerable version of SSH from being used as well as assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1210 | Exploitation of Remote Services |
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict access to remote services to the minimum necessary.
References
|
| aws_config | AWS Config | technique_scores | T1210 | Exploitation of Remote Services |
Comments
The "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited), both of which can reduce instances' attack surface for adversary exploitation, including via those applications' exposed remote services. The "ec2-instance-no-public-ip" managed rule identifies EC2 instances with public IP associations, which should be removed unless necessary to avoid exposing services publicly for adversary access.
All of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.
References
|
| aws_rds | AWS RDS | technique_scores | T1210 | Exploitation of Remote Services |
Comments
AWS RDS supports the automatic patching of minor versions of database instances. This can result in security flaws in the database instances being fixed before they can be exploited. This mapping is given a score of Partial because it does not protect against misconfigured database instances which may be susceptible to exploitation.
References
|
| aws_rds | AWS RDS | technique_scores | T1210 | Exploitation of Remote Services |
Comments
AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1210 | Exploitation of Remote Services |
Comments
AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.
EC2 instances that have missing security patches for important vulnerabilities
This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.
References
|