Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.
Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1133 | External Remote Services | |
| AC-20 | Use of External Systems | Protects | T1133 | External Remote Services | |
| AC-23 | Data Mining Protection | Protects | T1133 | External Remote Services | |
| AC-3 | Access Enforcement | Protects | T1133 | External Remote Services | |
| AC-4 | Information Flow Enforcement | Protects | T1133 | External Remote Services | |
| AC-6 | Least Privilege | Protects | T1133 | External Remote Services | |
| AC-7 | Unsuccessful Logon Attempts | Protects | T1133 | External Remote Services | |
| CM-2 | Baseline Configuration | Protects | T1133 | External Remote Services | |
| CM-6 | Configuration Settings | Protects | T1133 | External Remote Services | |
| CM-7 | Least Functionality | Protects | T1133 | External Remote Services | |
| CM-8 | System Component Inventory | Protects | T1133 | External Remote Services | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1133 | External Remote Services | |
| IA-5 | Authenticator Management | Protects | T1133 | External Remote Services | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1133 | External Remote Services | |
| SC-46 | Cross Domain Policy Enforcement | Protects | T1133 | External Remote Services | |
| SC-7 | Boundary Protection | Protects | T1133 | External Remote Services | |
| SI-4 | System Monitoring | Protects | T1133 | External Remote Services | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1133 | External Remote Services | |
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1133 | External Remote Services |
Comments
This control's "Management ports should be closed on your virtual machines" recommendation can lead to reducing the attack surface of your Azure VMs by recommending closing management ports. Because this is a recommendation, its score is limited to Partial.
References
|
| network_security_groups | Network Security Groups | technique_scores | T1133 | External Remote Services |
Comments
This control can be used to restrict direct access to remote service gateways and concentrators that typically accompany external remote services. This can be circumvented though if an adversary is able to compromise a trusted host and use it to access the external remote service. This results in an overall partial (coverage) score.
References
|
| microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1133 | External Remote Services |
Comments
This control's "Suspicious VPN connection (external ID 2025)" alert utilizes machine learning models to learn normal VPN connections for a user and detect deviations from the norm. This detection is specific to VPN traffic and therefore its overall coverage is Minimal.
References
|
| azure_policy | Azure Policy | technique_scores | T1133 | External Remote Services |
Comments
This control may provide recommendations to secure external remote services, such as restricting SSH access, enabling multi-factor authentication for VPN access, and auditing external remote services that are not necessary or updated.
References
|
| azure_alerts_for_network_layer | Azure Alerts for Network Layer | technique_scores | T1133 | External Remote Services |
Comments
This control can potentially identify malicious use of remote services via alerts such as "Suspicious incoming RDP network activity" and "Suspicious Incoming SSH network activity".
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1133 | External Remote Services |
Comments
This control's polices for access control can limit abuse of external facing remote services.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1133 | External Remote Services |
Comments
This control can provide logging of activity associated with potential exploitation of remote services such as anomalous geographic access.
References
|
| azure_ad_identity_secure_score | Azure AD Identity Secure Score | technique_scores | T1133 | External Remote Services |
Comments
This control's "Configure VPN Integration" recommendation can lead to detecting abnormal VPN connections that may be indicative of an attack. Although this control provides a recommendation that is limited to a specific external remote service type of VPN, most of this technique's procedure examples are VPN related resulting in a Partial overall score.
References
|
| just-in-time_vm_access | Just-in-Time VM Access | technique_scores | T1133 | External Remote Services |
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at utilizing external remote services, such as RDP or a VPN, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
|
| azure_firewall | Azure Firewall | technique_scores | T1133 | External Remote Services |
Comments
This control can limit access to external remote services to the minimum necessary.
References
|
| azure_network_traffic_analytics | Azure Network Traffic Analytics | technique_scores | T1133 | External Remote Services |
Comments
This control can identify anomalous access to external remote services.
References
|