Exploitation of Remote Services

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

Depending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.[1]

Procedure Examples

Name Description
TrickBot

TrickBot utilizes EternalBlue and EternalRomance exploits for Lateral Movement in the modules wormwinDll, wormDll, mwormDll, nwormDll, tabDll.[2]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.

References

Attachments

ID
VT0026
MITRE ID
Sub-techniques
No sub-techniques
Tactic
Lateral Movement
Platforms
Linux
Windows
macOS
System Requirements
Unpatched software or otherwise vulnerable target. Depending on the target and goal
the system and exploitable service may need to be remotely accessible from the internal network.
Permissions Required
User
Data Sources
File monitoring
Process monitoring
Windows Error Reporting
Version
1.1

Created: 05 January 2021

Last Modified: 05 January 2021