Skip to content

T1428 Exploitation of Remote Services

Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device’s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

Depending on the permissions level of the vulnerable remote service, an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.

Item Value
ID T1428
Sub-techniques
Tactics TA0033
Platforms Android, iOS
Version 1.2
Created 25 October 2017
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0300 DressCode DressCode sets up a “general purpose tunnel” that can be used by an adversary to compromise enterprise networks that the mobile device is connected to.1
S0299 NotCompatible NotCompatible has the capability to exploit systems on an enterprise network.2

Mitigations

ID Mitigation Description
M1012 Enterprise Policy Configuration of per-app VPN policies instead of device-wide VPN can restrict access to internal enterprise resource access via VPN to only enterprise-approved applications

Detection

ID Data Source Data Component
DS0041 Application Vetting Network Communication
DS0029 Network Traffic Network Traffic Content

References

  1. Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016. 

  2. Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.