Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.
There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169)
Depending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1210 | Exploitation of Remote Services | |
| AC-3 | Access Enforcement | Protects | T1210 | Exploitation of Remote Services | |
| AC-4 | Information Flow Enforcement | Protects | T1210 | Exploitation of Remote Services | |
| AC-5 | Separation of Duties | Protects | T1210 | Exploitation of Remote Services | |
| AC-6 | Least Privilege | Protects | T1210 | Exploitation of Remote Services | |
| CA-2 | Control Assessments | Protects | T1210 | Exploitation of Remote Services | |
| CA-7 | Continuous Monitoring | Protects | T1210 | Exploitation of Remote Services | |
| CA-8 | Penetration Testing | Protects | T1210 | Exploitation of Remote Services | |
| CM-2 | Baseline Configuration | Protects | T1210 | Exploitation of Remote Services | |
| CM-5 | Access Restrictions for Change | Protects | T1210 | Exploitation of Remote Services | |
| CM-6 | Configuration Settings | Protects | T1210 | Exploitation of Remote Services | |
| CM-7 | Least Functionality | Protects | T1210 | Exploitation of Remote Services | |
| CM-8 | System Component Inventory | Protects | T1210 | Exploitation of Remote Services | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1210 | Exploitation of Remote Services | |
| IA-8 | Identification and Authentication (non-organizational Users) | Protects | T1210 | Exploitation of Remote Services | |
| RA-10 | Threat Hunting | Protects | T1210 | Exploitation of Remote Services | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1210 | Exploitation of Remote Services | |
| SC-18 | Mobile Code | Protects | T1210 | Exploitation of Remote Services | |
| SC-2 | Separation of System and User Functionality | Protects | T1210 | Exploitation of Remote Services | |
| SC-26 | Decoys | Protects | T1210 | Exploitation of Remote Services | |
| SC-29 | Heterogeneity | Protects | T1210 | Exploitation of Remote Services | |
| SC-3 | Security Function Isolation | Protects | T1210 | Exploitation of Remote Services | |
| SC-30 | Concealment and Misdirection | Protects | T1210 | Exploitation of Remote Services | |
| SC-35 | External Malicious Code Identification | Protects | T1210 | Exploitation of Remote Services | |
| SC-39 | Process Isolation | Protects | T1210 | Exploitation of Remote Services | |
| SC-46 | Cross Domain Policy Enforcement | Protects | T1210 | Exploitation of Remote Services | |
| SC-7 | Boundary Protection | Protects | T1210 | Exploitation of Remote Services | |
| SI-2 | Flaw Remediation | Protects | T1210 | Exploitation of Remote Services | |
| SI-3 | Malicious Code Protection | Protects | T1210 | Exploitation of Remote Services | |
| SI-4 | System Monitoring | Protects | T1210 | Exploitation of Remote Services | |
| SI-5 | Security Alerts, Advisories, and Directives | Protects | T1210 | Exploitation of Remote Services | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1210 | Exploitation of Remote Services | |
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1210 | Exploitation of Remote Services |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
| network_security_groups | Network Security Groups | technique_scores | T1210 | Exploitation of Remote Services |
Comments
This control can be used to restrict access to remote services to minimum necessary.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1210 | Exploitation of Remote Services |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes built-in modules for exploiting remote SMB, JBoss, and Jenkins servers, but does not address other procedures. The Azure Sentinel Analytics "Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task" query can detect when an adversary gains execution capability on an ADFS server through SMB and Remote Service or Scheduled Task.
References
|
| microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1210 | Exploitation of Remote Services |
Comments
This control's "Remote code execution over DNS (external ID 2036)" alert can look for an attacker attempting to exploit CVE-2018-8626, a remote code execution vulnerability exists in Windows Domain Name System (DNS) servers. In this detection, a Defender for Identity security alert is triggered when DNS queries suspected of exploiting the CVE-2018-8626 security vulnerability are made against a domain controller in the network.
Likewise this controls "Suspected SMB packet manipulation (CVE-2020-0796 exploitation)" alert can detect a remote code execution vulnerability with SMBv3.
Because these detections are specific to a few CVEs, its coverage is Minimal resulting in a Minimal score.
References
|
| azure_automation_update_management | Azure Automation Update Management | technique_scores | T1210 | Exploitation of Remote Services |
Comments
This control provides significant coverage of techniques that leverage vulnerabilities in unpatched remote services since it enables automated updates of software and rapid configuration change management.
References
|
| azure_policy | Azure Policy | technique_scores | T1210 | Exploitation of Remote Services |
Comments
This control may provide recommendations to enable Azure security controls to harden remote services and reduce surface area for possible exploitation.
References
|
| azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1210 | Exploitation of Remote Services |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected to exploit a vulnerability in an exposed service. Detection is periodic at an unknown rate.
References
|
| integrated_vulnerability_scanner_powered_by_qualys | Integrated Vulnerability Scanner Powered by Qualys | technique_scores | T1210 | Exploitation of Remote Services |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|