Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Discovery or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.
There are several well-known vulnerabilities that exist in common services such as SMB(Citation: CIS Multiple SMB Vulnerabilities) and RDP(Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL(Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Additionally, there have been a number of vulnerabilities in VMware vCenter installations, which may enable threat actors to move laterally from the compromised vCenter server to virtual machines or even to ESXi hypervisors.(Citation: Broadcom VMSA-2024-0019)
Depending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| STA-10 | Supply Chain Risk Management | mitigates | T1210 | Exploitation of Remote Services |
Comments
The mitigative applications of this control relate to:
"(c) documentation and testing of the specific technical controls implemented to support the product or service (e.g., identity and access management, network design and security)"
Network design and security testing (segmentation, secure protocols, egress controls) limit an adversary’s ability to move laterally or exfiltrate via compromised software components through SMB and RDP as well as applications that may be used within internal networks such as MySQL and web server services.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1210 | Exploitation of Remote Services |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmenting networks and systems reduces access to critical systems and services, mitigating exploitation via remote services.
References
|
| TVM-05 | Detection Updates | mitigates | T1210 | Exploitation of Remote Services |
Comments
This control requires both CSP and CSC to independently define, implement, and regularly update detection tools, threat signatures, and indicators of compromise based from a threat intelligence platform/program ensuring effective and timely detection of threats across all cloud service models.
A centralized threat intelligence platform or program enables organizations to proactively identify, analyze, and act on cyber threats by leveraging internal and external data sources. As it applies to mitigable techniques, developing a robust cyber threat intelligence capability to mitigate and determine what types and levels of threat may use software exploits and 0-days or N-days against a particular organization.
References
|
| I&S-09 | Network Defense | mitigates | T1210 | Exploitation of Remote Services |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmenting networks and systems reduces access to critical systems and services, mitigating exploitation via remote services.
References
|
| DSP-15 | Limitation of Production Data Use | mitigates | T1210 | Exploitation of Remote Services |
Comments
This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, or cloud service.
In terms of mitigation, segmenting networks and systems appropriately to reduce access to production systems and services to controlled methods. Also, minimizing permissions and access for service accounts to limit impact of exploitation.
References
|
| AIS-07 | Application Vulnerability Remediation | mitigates | T1210 | Exploitation of Remote Services |
Comments
The control requires prioritized remediation based on risk assessment and CVSS scores, automated patch management, and integration of remediation tools into CI/CD pipelines to address vulnerabilities as early as possible in the development lifecycle.
References
|