Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.
There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169)
Depending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1210 | Exploitation of Remote Services | |
| AC-3 | Access Enforcement | Protects | T1210 | Exploitation of Remote Services | |
| AC-4 | Information Flow Enforcement | Protects | T1210 | Exploitation of Remote Services | |
| AC-5 | Separation of Duties | Protects | T1210 | Exploitation of Remote Services | |
| AC-6 | Least Privilege | Protects | T1210 | Exploitation of Remote Services | |
| CA-2 | Control Assessments | Protects | T1210 | Exploitation of Remote Services | |
| CA-7 | Continuous Monitoring | Protects | T1210 | Exploitation of Remote Services | |
| CA-8 | Penetration Testing | Protects | T1210 | Exploitation of Remote Services | |
| CM-2 | Baseline Configuration | Protects | T1210 | Exploitation of Remote Services | |
| CM-5 | Access Restrictions for Change | Protects | T1210 | Exploitation of Remote Services | |
| CM-6 | Configuration Settings | Protects | T1210 | Exploitation of Remote Services | |
| CM-7 | Least Functionality | Protects | T1210 | Exploitation of Remote Services | |
| CM-8 | System Component Inventory | Protects | T1210 | Exploitation of Remote Services | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1210 | Exploitation of Remote Services | |
| IA-8 | Identification and Authentication (non-organizational Users) | Protects | T1210 | Exploitation of Remote Services | |
| RA-10 | Threat Hunting | Protects | T1210 | Exploitation of Remote Services | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1210 | Exploitation of Remote Services | |
| SC-18 | Mobile Code | Protects | T1210 | Exploitation of Remote Services | |
| SC-2 | Separation of System and User Functionality | Protects | T1210 | Exploitation of Remote Services | |
| SC-26 | Decoys | Protects | T1210 | Exploitation of Remote Services | |
| SC-29 | Heterogeneity | Protects | T1210 | Exploitation of Remote Services | |
| SC-3 | Security Function Isolation | Protects | T1210 | Exploitation of Remote Services | |
| SC-30 | Concealment and Misdirection | Protects | T1210 | Exploitation of Remote Services | |
| SC-35 | External Malicious Code Identification | Protects | T1210 | Exploitation of Remote Services | |
| SC-39 | Process Isolation | Protects | T1210 | Exploitation of Remote Services | |
| SC-46 | Cross Domain Policy Enforcement | Protects | T1210 | Exploitation of Remote Services | |
| SC-7 | Boundary Protection | Protects | T1210 | Exploitation of Remote Services | |
| SI-2 | Flaw Remediation | Protects | T1210 | Exploitation of Remote Services | |
| SI-3 | Malicious Code Protection | Protects | T1210 | Exploitation of Remote Services | |
| SI-4 | System Monitoring | Protects | T1210 | Exploitation of Remote Services | |
| SI-5 | Security Alerts, Advisories, and Directives | Protects | T1210 | Exploitation of Remote Services | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1210 | Exploitation of Remote Services | |
| CVE-2020-1206 | Windows 10 Version 1909 for 32-bit Systems | uncategorized | T1210 | Exploitation of Remote Services | |
| CVE-2017-8543 | Microsoft Windows | uncategorized | T1210 | Exploitation of Remote Services | |
| CVE-2017-0176 | Microsoft Windows Server 2003 SP1, SP2 Windows XP - SP3 | uncategorized | T1210 | Exploitation of Remote Services | |
| CVE-2010-2729 | n/a | uncategorized | T1210 | Exploitation of Remote Services | |
| CVE-2008-4250 | n/a | uncategorized | T1210 | Exploitation of Remote Services | |
| CVE-2017-14323 | n/a | uncategorized | T1210 | Exploitation of Remote Services | |
| CVE-2014-0751 | n/a | uncategorized | T1210 | Exploitation of Remote Services | |
| CVE-2018-8414 | Windows 10 Servers | uncategorized | T1210 | Exploitation of Remote Services | |
| action.hacking.variety.Exploit misconfig | Exploit a misconfiguration (vs vuln or weakness) | related-to | T1210 | Exploitation of Remote Services | |
| action.malware.variety.Exploit vuln | Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) | related-to | T1210 | Exploitation of Remote Services | |
| aws_rds | AWS RDS | technique_scores | T1210 | Exploitation of Remote Services |
Comments
AWS RDS supports the automatic patching of minor versions of database instances. This can result in security flaws in the database instances being fixed before they can be exploited. This mapping is given a score of Partial because it does not protect against misconfigured database instances which may be susceptible to exploitation.
References
|
| aws_rds | AWS RDS | technique_scores | T1210 | Exploitation of Remote Services |
Comments
AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.
References
|
| aws_config | AWS Config | technique_scores | T1210 | Exploitation of Remote Services |
Comments
The "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited), both of which can reduce instances' attack surface for adversary exploitation, including via those applications' exposed remote services. The "ec2-instance-no-public-ip" managed rule identifies EC2 instances with public IP associations, which should be removed unless necessary to avoid exposing services publicly for adversary access.
All of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.
References
|
| amazon_inspector | Amazon Inspector | technique_scores | T1210 | Exploitation of Remote Services |
Comments
Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess a security control "Support SSH version 2 only" that prevents the use of a vulnerable version of SSH from being used as well as assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1210 | Exploitation of Remote Services |
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict access to remote services to the minimum necessary.
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1210 | Exploitation of Remote Services |
Comments
AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight.
EC2 instances that have missing security patches for important vulnerabilities
This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.
References
|