T1133 External Remote Services Mappings

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.

Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-17 Remote Access Protects T1133 External Remote Services
AC-20 Use of External Systems Protects T1133 External Remote Services
AC-23 Data Mining Protection Protects T1133 External Remote Services
AC-3 Access Enforcement Protects T1133 External Remote Services
AC-4 Information Flow Enforcement Protects T1133 External Remote Services
AC-6 Least Privilege Protects T1133 External Remote Services
AC-7 Unsuccessful Logon Attempts Protects T1133 External Remote Services
CM-2 Baseline Configuration Protects T1133 External Remote Services
CM-6 Configuration Settings Protects T1133 External Remote Services
CM-7 Least Functionality Protects T1133 External Remote Services
CM-8 System Component Inventory Protects T1133 External Remote Services
IA-2 Identification and Authentication (organizational Users) Protects T1133 External Remote Services
IA-5 Authenticator Management Protects T1133 External Remote Services
RA-5 Vulnerability Monitoring and Scanning Protects T1133 External Remote Services
SC-46 Cross Domain Policy Enforcement Protects T1133 External Remote Services
SC-7 Boundary Protection Protects T1133 External Remote Services
SI-4 System Monitoring Protects T1133 External Remote Services
SI-7 Software, Firmware, and Information Integrity Protects T1133 External Remote Services
azure_security_center_recommendations Azure Security Center Recommendations technique_scores T1133 External Remote Services
Comments
This control's "Management ports should be closed on your virtual machines" recommendation can lead to reducing the attack surface of your Azure VMs by recommending closing management ports. Because this is a recommendation, its score is limited to Partial.
References
network_security_groups Network Security Groups technique_scores T1133 External Remote Services
Comments
This control can be used to restrict direct access to remote service gateways and concentrators that typically accompany external remote services. This can be circumvented though if an adversary is able to compromise a trusted host and use it to access the external remote service. This results in an overall partial (coverage) score.
References
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1133 External Remote Services
Comments
This control's "Suspicious VPN connection (external ID 2025)" alert utilizes machine learning models to learn normal VPN connections for a user and detect deviations from the norm. This detection is specific to VPN traffic and therefore its overall coverage is Minimal.
References
azure_policy Azure Policy technique_scores T1133 External Remote Services
Comments
This control may provide recommendations to secure external remote services, such as restricting SSH access, enabling multi-factor authentication for VPN access, and auditing external remote services that are not necessary or updated.
References
azure_alerts_for_network_layer Azure Alerts for Network Layer technique_scores T1133 External Remote Services
Comments
This control can potentially identify malicious use of remote services via alerts such as "Suspicious incoming RDP network activity" and "Suspicious Incoming SSH network activity".
References
cloud_app_security_policies Cloud App Security Policies technique_scores T1133 External Remote Services
cloud_app_security_policies Cloud App Security Policies technique_scores T1133 External Remote Services
Comments
This control can provide logging of activity associated with potential exploitation of remote services such as anomalous geographic access.
References
azure_ad_identity_secure_score Azure AD Identity Secure Score technique_scores T1133 External Remote Services
Comments
This control's "Configure VPN Integration" recommendation can lead to detecting abnormal VPN connections that may be indicative of an attack. Although this control provides a recommendation that is limited to a specific external remote service type of VPN, most of this technique's procedure examples are VPN related resulting in a Partial overall score.
References
just-in-time_vm_access Just-in-Time VM Access technique_scores T1133 External Remote Services
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at utilizing external remote services, such as RDP or a VPN, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
azure_firewall Azure Firewall technique_scores T1133 External Remote Services
Comments
This control can limit access to external remote services to the minimum necessary.
References
azure_network_traffic_analytics Azure Network Traffic Analytics technique_scores T1133 External Remote Services
Comments
This control can identify anomalous access to external remote services.
References