1. Home
  2. ATT&CK Techniques
  3. T1133 External Remote Services

T1133 External Remote Services Mappings

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.

Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1133 External Remote Services
AC-20 Use of External Systems Protects T1133 External Remote Services
AC-23 Data Mining Protection Protects T1133 External Remote Services
AC-3 Access Enforcement Protects T1133 External Remote Services
AC-4 Information Flow Enforcement Protects T1133 External Remote Services
AC-6 Least Privilege Protects T1133 External Remote Services
AC-7 Unsuccessful Logon Attempts Protects T1133 External Remote Services
CM-2 Baseline Configuration Protects T1133 External Remote Services
CM-6 Configuration Settings Protects T1133 External Remote Services
CM-7 Least Functionality Protects T1133 External Remote Services
CM-8 System Component Inventory Protects T1133 External Remote Services
IA-2 Identification and Authentication (organizational Users) Protects T1133 External Remote Services
IA-5 Authenticator Management Protects T1133 External Remote Services
RA-5 Vulnerability Monitoring and Scanning Protects T1133 External Remote Services
SC-46 Cross Domain Policy Enforcement Protects T1133 External Remote Services
SC-7 Boundary Protection Protects T1133 External Remote Services
SI-4 System Monitoring Protects T1133 External Remote Services
SI-7 Software, Firmware, and Information Integrity Protects T1133 External Remote Services
CVE-2019-1942 Cisco Identity Services Engine Software exploitation_technique T1133 External Remote Services
CVE-2019-15972 Cisco Unified Communications Manager exploitation_technique T1133 External Remote Services
CVE-2019-15288 Cisco TelePresence TC Software exploitation_technique T1133 External Remote Services
CVE-2019-15998 Cisco IOS XR Software primary_impact T1133 External Remote Services
CVE-2020-3387 Cisco SD-WAN vManage exploitation_technique T1133 External Remote Services
CVE-2019-1612 Nexus 3000 Series Switches exploitation_technique T1133 External Remote Services
CVE-2019-1836 Cisco NX-OS Software for Nexus 9000 Series Fabric Switches ACI Mode exploitation_technique T1133 External Remote Services
CVE-2018-15444 Cisco Energy Management Suite exploitation_technique T1133 External Remote Services
CVE-2020-3237 Cisco IOx exploitation_technique T1133 External Remote Services
CVE-2020-3198 Cisco IOS 12.2(60)EZ16 exploitation_technique T1133 External Remote Services
CVE-2020-3309 Cisco Firepower Threat Defense Software exploitation_technique T1133 External Remote Services
CVE-2020-3240 Cisco UCS Director exploitation_technique T1133 External Remote Services
CVE-2018-11048 Data Protection Advisor exploitation_technique T1133 External Remote Services
CVE-2020-15188 soycms exploitation_technique T1133 External Remote Services
CVE-2020-15147 Red-DiscordBot exploitation_technique T1133 External Remote Services
CVE-2020-15140 Red-DiscordBot exploitation_technique T1133 External Remote Services
CVE-2020-5295 october exploitation_technique T1133 External Remote Services
CVE-2020-4068 APNSwift exploitation_technique T1133 External Remote Services
CVE-2020-15109 solidus exploitation_technique T1133 External Remote Services
CVE-2020-5225 SimpleSAMLphp exploitation_technique T1133 External Remote Services
CVE-2020-11010 tortoise-orm exploitation_technique T1133 External Remote Services
CVE-2020-15143 SyliusResourceBundle exploitation_technique T1133 External Remote Services
CVE-2020-12029 FactoryTalk View SE exploitation_technique T1133 External Remote Services
CVE-2018-19007 Geutebrück GmbH E2 Camera Series versions prior to 1.12.0.25 exploitation_technique T1133 External Remote Services
CVE-2019-18234 Equinox Control Expert exploitation_technique T1133 External Remote Services
CVE-2020-10603 WebAccess/NMS exploitation_technique T1133 External Remote Services
CVE-2020-12000 Ignition 8 Gateway exploitation_technique T1133 External Remote Services
CVE-2019-15821 n/a uncategorized T1133 External Remote Services
CVE-2015-7935 n/a uncategorized T1133 External Remote Services
CVE-2014-9938 n/a uncategorized T1133 External Remote Services
CVE-2016-6367 n/a uncategorized T1133 External Remote Services
CVE-2010-2772 n/a uncategorized T1133 External Remote Services
CVE-2012-5958 n/a uncategorized T1133 External Remote Services
CVE-2016-5180 n/a uncategorized T1133 External Remote Services
CVE-2019-11510 n/a uncategorized T1133 External Remote Services
CVE-2018-7506 Moxa MXview uncategorized T1133 External Remote Services
CVE-2019-11708 Firefox ESR uncategorized T1133 External Remote Services
CVE-2014-0751 n/a uncategorized T1133 External Remote Services
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1133 External Remote Services
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1133 External Remote Services
action.hacking.vector.3rd party desktop 3rd party online desktop sharing (LogMeIn, Go2Assist) related-to T1133 External Remote Services
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1133 External Remote Services
action.hacking.vector.Desktop sharing software Superset of 'Desktop sharing' and '3rd party desktop'. Please use in place of the other two related-to T1133 External Remote Services
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1133 External Remote Services
action.malware.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) related-to T1133 External Remote Services
action.malware.vector.Remote injection Remotely injected by agent (i.e. via SQLi) related-to T1133 External Remote Services
action.malware.vector.Web application Web application. Parent of 'Web application - download' and 'Web application - drive-by. related-to T1133 External Remote Services
amazon_inspector Amazon Inspector technique_scores T1133 External Remote Services
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1133 External Remote Services
aws_network_firewall AWS Network Firewall technique_scores T1133 External Remote Services
aws_single_sign-on AWS Single Sign-On technique_scores T1133 External Remote Services