# T1133 External Remote Services

-----------------------------------------------------------------------

## Technique Description

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)

Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)

## Technique Detection

Follow best practices for detecting adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078) for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.

When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.

-----------------------------------------------------------------------

### Tactics:

  * Persistence

  * Initial-Access

### Platforms:

  * Windows

  * Linux

  * Containers

  * macOS

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Application Log:** Application Log Content

  * **Logon Session:** Logon Session Metadata

  * **Network Traffic:** Network Traffic Flow

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments.(Citation: Intezer TeamTNT September 2020) [TeamTNT](https://attack.mitre.org/groups/G0139) has also targeted exposed kubelets for Kubernetes environments.(Citation: Unit 42 Hildegard Malware)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) has used compromised identities to access VPNs and remote access tools.(Citation: MSTIC NOBELIUM Mar 2021)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has used stolen credentials to connect to the victim's network via VPN.(Citation: FoxIT Wocao December 2019)| 
| GOLD SOUTHFIELD | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.(Citation: Secureworks REvil September 2019)	| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.(Citation: FireEye KEGTAP SINGLEMALT October 2020)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.(Citation: FireEye APT41 Aug 2019)
| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used RDP to establish persistence.(Citation: CISA AA20-301A Kimsuky)| 
| GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)| 
| TEMP.Veles | [TEMP.Veles](https://attack.mitre.org/groups/G0088) has used a VPN to persist in the victim environment.(Citation: FireEye TRITON 2019)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used external remote services such as virtual private networks (VPN) to gain initial access.(Citation: CISA AA21-200A APT40 July 2021)| 
| FIN5 | [FIN5](https://attack.mitre.org/groups/G0053) has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment.(Citation: FireEye Respond Webinar July 2017)(Citation: DarkReading FireEye FIN5 Oct 2015)(Citation: Mandiant FIN5 GrrCON Oct 2016)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) uses remote services such as VPN, Citrix, or OWA to persist in an environment.(Citation: FireEye APT34 Webinar Dec 2017)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.(Citation: US-CERT TA18-074A)(Citation: CISA AA20-296A Berserk Bear December 2020)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. [Sandworm Team](https://attack.mitre.org/groups/G0034) has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.(Citation: ESET BlackEnergy Jan 2016)(Citation: ESET Telebots June 2017)(Citation: ANSSI Sandworm January 2021)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors look for and use VPN profiles during an operation to access the network using external VPN services.(Citation: Dell TG-3390) [Threat Group-3390](https://attack.mitre.org/groups/G0027) has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.(Citation: SecureWorks BRONZE UNION June 2017)| 
| APT18 | [APT18](https://attack.mitre.org/groups/G0026) actors leverage legitimate credentials to log into external remote services.(Citation: RSA2017 Detect and Respond Adair)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used compromised identities to access networks via SSH,  VPNs, and other remote access tools.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: NCSC APT29 July 2020)(Citation: CrowdStrike StellarParticle January 2022)| 
| Night Dragon | [Night Dragon](https://attack.mitre.org/groups/G0014) has used compromised VPN accounts to gain access to victim systems.(Citation: McAfee Night Dragon)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used [Tor](https://attack.mitre.org/software/S0183) and a variety of commercial VPN services to route brute force authentication attempts.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has gained access through VPNs including with compromised accounts and stolen VPN certificates.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1133)

  * [Capec](https://capec.mitre.org/data/definitions/555.html)

  * [Macos Vnc Software For Remote Desktop](https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac), Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021.

  * [Volexity Virtual Private Keylogging](https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/), Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.

  * [Trend Micro Exposed Docker Server](https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html), Remillano II, A., et al. (2020, June 20). XORDDoS, Kaiji Variants Target Exposed Docker Servers. Retrieved April 5, 2021.

  * [Unit 42 Hildegard Malware](https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/), Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, SSgt Eric Plude

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- N/A

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT29| | 1, 2|

#### APT29
- APT29 will exploit a vulnerability in the Citrix application to write files and execute code remotely on vulnerable hosts.

## Detection Blindspots

- Sensor location/TAP points
- HTTPS traffic is encrypted.

## Analytical References

- https://blog.fox-it.com/2020/07/01/a-second-look-at-cve-2019-19781-citrix-netscaler-adc/

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Adversaries can abuse a vulnerability in Citrix application to execute remote code as root. There are Perl scripts located in the “/vpns/” path of the Citrix appliances, which can be targeted to allow for limited file writing on the vulnerable host. A HTTP request for the XML file stored on the vulnerable host is made by the attacker.

- The adversary can fetch the webshell content via a TXT record hosted on the C2 domain. This PHP file can be used as a simple webshell, which would not require any authentication in order to interact with it, other than knowing the POST parameter name. 

#### Analytic 1

  * **Information:** XML Remote Code Execution

  * **Source:** PCAP

  * **Tool:** Moloch

  * **Notes:** These hopefully will result in returning any .xml file that would contain remote code execution commands that would be url-encoded or non-url-encoded. (needs testing with regex)

  * **Query_1:** ```http.uri == "\]\s\"[A-Z]{3,7}\s[^\s]*/(v|%76)(p|%70)(n|%6[Ee])(s|%73)/[^\s]*\.(x|%[57]8)(m|%[46]d)(l|%[46]c)[^\s]*```

  * **Query_2:** ```http.method == [GET,POST,HEAD,PUT] && http.uri == \s[^\s]*/(v|%76)(p|%70)(n|%6[Ee])(s|%73)/[^\s]*\.pl[^\s]*```

  * **Query_3:** ```http.bodymagic == text/XML, text/xml; charset=utf-8, application/xml]```

  * **Query_4:** ```http.uri == *vpn*```

  * **Query_5:** ```http.uri == *xml```

#### Analytic 2

  * **Information:** Pearl Script Requests

  * **Source:** PCAP

  * **Tool:** Moloch

  * **Notes:** This will find http requests for perl scripts

  * **Query_1:** ```http.uri == \s[^\s]*/(v|%76)(p|%70)(n|%6[Ee])(s|%73)/[^\s]*\.pl```
  
  * **Query_2:** ```http.uri == *.pl && http.statuscode == [301,304,200] && http.bodymagic == EXISTS!```

