Exploitation of Remote Services

Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device’s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

Depending on the permissions level of the vulnerable remote service, an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.

ID: T1428
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
MTC ID: APP-32
Version: 1.2
Created: 25 October 2017
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S0300 DressCode

DressCode sets up a "general purpose tunnel" that can be used by an adversary to compromise enterprise networks that the mobile device is connected to.[1]

S0299 NotCompatible

NotCompatible has the capability to exploit systems on an enterprise network.[2]

Mitigations

ID Mitigation Description
M1012 Enterprise Policy

Configuration of per-app VPN policies instead of device-wide VPN can restrict access to internal enterprise resource access via VPN to only enterprise-approved applications

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting Network Communication

Application vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network.

DS0029 Network Traffic Network Traffic Content

Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources.

References