External Remote Services
Info
ID: AT-GA003
Tactic: Gain Access
Sub-techniques: Exposed Gateway, Exposed Kubernetes API, SSH Access, Unauthenticated Administration Interfaces
External Remote Services
Adversaries may leverage externally exposed services to deliver malicious content into a cloud application environment. Common targets include remote administration tools, container orchestration endpoints (e.g., Docker API, Kubernetes API), or application gateways that are legitimately open for external connections. Attackers can exploit misconfigured or unauthenticated interfaces, or use stolen credentials to log into these services and upload, modify, or deploy malicious code.
Once adversaries gain entry through an external remote service, they can pivot further, either by establishing persistent footholds or by immediately reconfiguring resources to prepare for execution. In many cloud environments, these remote services (e.g., VPNs, dashboards, or management APIs) are essential for routine administration, making them particularly valuable access points. The ability to connect from outside the organization often enables attackers to bypass traditional perimeter defenses and blend in with standard maintenance or user traffic.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1037 | Filter Network Traffic | Restrict management-plane ports (SSH, RDP, Docker API, K8s API) to VPN/IP-allow-listed ranges; enforce TLS with client certs. |
| M1026 | Privileged Account Management | Disable password logins; require short-lived tokens or just-in-time elevation for remote admin services. |
| M1050 | Exploit Protection | Keep management-service images patched automatically and enable server-side request validation to block exploitation of outdated endpoints. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0029 | Network Traffic Flow | Alert on new inbound connections to management ports from IP ranges never observed before, especially immediately followed by POST/PUT requests. |
| DS0002 | User Account Authentication | Detect remote logins using previously unseen SSH keys or API tokens; elevate severity if the session comes from an ASN unrelated to the org. |
| DS0015 | Application Log | Monitor management API audit logs for creation of new containers or privileged pods by users that rarely perform such tasks. |