MITRE ATT&CK  /  T1210

T1210

Exploitation of Remote Services

Description

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.There are several well-known vulnerabilities that exist in common services such as SMB(Citation: CIS Multiple SMB Vulnerabilities) and RDP(Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL(Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Additionally, there have been a …

Platforms

Mitigations

• M1042 — Disable or Remove Feature or Program
• M1016 — Vulnerability Scanning
• M1050 — Exploit Protection
• M1030 — Network Segmentation
• M1019 — Threat Intelligence Program
• M1048 — Application Isolation and Sandboxing
• M1026 — Privileged Account Management
• M1051 — Update Software

Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →