Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device’s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.
Depending on the permissions level of the vulnerable remote service, an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.
ID | Name | Description |
---|---|---|
S0300 | DressCode |
DressCode sets up a "general purpose tunnel" that can be used by an adversary to compromise enterprise networks that the mobile device is connected to.[1] |
S0299 | NotCompatible |
NotCompatible has the capability to exploit systems on an enterprise network.[2] |
ID | Mitigation | Description |
---|---|---|
M1012 | Enterprise Policy |
Configuration of per-app VPN policies instead of device-wide VPN can restrict access to internal enterprise resource access via VPN to only enterprise-approved applications |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0041 | Application Vetting | Network Communication |
Application vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network. |
DS0029 | Network Traffic | Network Traffic Content |
Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. |