T1210 Exploitation of Remote Services Mappings

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169)

Depending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1210 Exploitation of Remote Services
AC-3 Access Enforcement Protects T1210 Exploitation of Remote Services
AC-4 Information Flow Enforcement Protects T1210 Exploitation of Remote Services
AC-5 Separation of Duties Protects T1210 Exploitation of Remote Services
AC-6 Least Privilege Protects T1210 Exploitation of Remote Services
CA-2 Control Assessments Protects T1210 Exploitation of Remote Services
CA-7 Continuous Monitoring Protects T1210 Exploitation of Remote Services
CA-8 Penetration Testing Protects T1210 Exploitation of Remote Services
CM-2 Baseline Configuration Protects T1210 Exploitation of Remote Services
CM-5 Access Restrictions for Change Protects T1210 Exploitation of Remote Services
CM-6 Configuration Settings Protects T1210 Exploitation of Remote Services
CM-7 Least Functionality Protects T1210 Exploitation of Remote Services
CM-8 System Component Inventory Protects T1210 Exploitation of Remote Services
IA-2 Identification and Authentication (organizational Users) Protects T1210 Exploitation of Remote Services
IA-8 Identification and Authentication (non-organizational Users) Protects T1210 Exploitation of Remote Services
RA-10 Threat Hunting Protects T1210 Exploitation of Remote Services
RA-5 Vulnerability Monitoring and Scanning Protects T1210 Exploitation of Remote Services
SC-18 Mobile Code Protects T1210 Exploitation of Remote Services
SC-2 Separation of System and User Functionality Protects T1210 Exploitation of Remote Services
SC-26 Decoys Protects T1210 Exploitation of Remote Services
SC-29 Heterogeneity Protects T1210 Exploitation of Remote Services
SC-3 Security Function Isolation Protects T1210 Exploitation of Remote Services
SC-30 Concealment and Misdirection Protects T1210 Exploitation of Remote Services
SC-35 External Malicious Code Identification Protects T1210 Exploitation of Remote Services
SC-39 Process Isolation Protects T1210 Exploitation of Remote Services
SC-46 Cross Domain Policy Enforcement Protects T1210 Exploitation of Remote Services
SC-7 Boundary Protection Protects T1210 Exploitation of Remote Services
SI-2 Flaw Remediation Protects T1210 Exploitation of Remote Services
SI-3 Malicious Code Protection Protects T1210 Exploitation of Remote Services
SI-4 System Monitoring Protects T1210 Exploitation of Remote Services
SI-5 Security Alerts, Advisories, and Directives Protects T1210 Exploitation of Remote Services
SI-7 Software, Firmware, and Information Integrity Protects T1210 Exploitation of Remote Services
CVE-2020-1206 Windows 10 Version 1909 for 32-bit Systems uncategorized T1210 Exploitation of Remote Services
CVE-2017-8543 Microsoft Windows uncategorized T1210 Exploitation of Remote Services
CVE-2017-0176 Microsoft Windows Server 2003 SP1, SP2 Windows XP - SP3 uncategorized T1210 Exploitation of Remote Services
CVE-2010-2729 n/a uncategorized T1210 Exploitation of Remote Services
CVE-2008-4250 n/a uncategorized T1210 Exploitation of Remote Services
CVE-2017-14323 n/a uncategorized T1210 Exploitation of Remote Services
CVE-2014-0751 n/a uncategorized T1210 Exploitation of Remote Services
CVE-2018-8414 Windows 10 Servers uncategorized T1210 Exploitation of Remote Services
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1210 Exploitation of Remote Services
action.malware.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) related-to T1210 Exploitation of Remote Services
aws_rds AWS RDS technique_scores T1210 Exploitation of Remote Services
aws_rds AWS RDS technique_scores T1210 Exploitation of Remote Services
aws_config AWS Config technique_scores T1210 Exploitation of Remote Services
amazon_inspector Amazon Inspector technique_scores T1210 Exploitation of Remote Services
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1210 Exploitation of Remote Services
aws_security_hub AWS Security Hub technique_scores T1210 Exploitation of Remote Services