T1133
Author: Stefan Waldvogel
LimaCharlie vs. External Remote Services
Overview:
Description from ATT&CK
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) can also be used externally.
Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.
Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)
source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1133 -ShowDetailsBrief
Invoke-AtomicTest T1133 -CheckPrereqs
Invoke-AtomicTest T1133 -GetPrereqs
Invoke-AtomicTest T1133
Invoke-AtomicTest T1133 -Cleanup
Changes:
This test works with chrome, but it was not installed. I installed it.
Limitations:
LC detected a "generic" powershell command. All powershell commands will be detected.
The malicious attempt itself as separate command or event was not detected.
Result:
Description from ATT&CK
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) can also be used externally.
Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.
Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)
source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1133 -ShowDetailsBrief
Invoke-AtomicTest T1133 -CheckPrereqs
Invoke-AtomicTest T1133 -GetPrereqs
Invoke-AtomicTest T1133
Invoke-AtomicTest T1133 -Cleanup
Changes:
This test works with chrome, but it was not installed. I installed it.
Limitations:
LC detected a "generic" powershell command. All powershell commands will be detected.
The malicious attempt itself as separate command or event was not detected.
Result:
© 2021. This work is licensed under a CC BY-SA 4.0 license