Skip to content

Hide Navigation Hide TOC

Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f)

Restrict access to network resources, such as file shares, remote systems, and services, to only those users, accounts, or systems with a legitimate business requirement. This can include employing technologies like network concentrators, RDP gateways, and zero-trust network access (ZTNA) models, alongside hardening services and protocols. This mitigation can be implemented through the following measures:

Audit and Restrict Access:

  • Regularly audit permissions for file shares, network services, and remote access tools.
  • Remove unnecessary access and enforce least privilege principles for users and services.
  • Use Active Directory and IAM tools to restrict access based on roles and attributes.

Deploy Secure Remote Access Solutions:

  • Use RDP gateways, VPN concentrators, and ZTNA solutions to aggregate and secure remote access connections.
  • Configure access controls to restrict connections based on time, device, and user identity.
  • Enforce MFA for all remote access mechanisms.

Disable Unnecessary Services:

  • Identify running services using tools like netstat (Windows/Linux) or Nmap.
  • Disable unused services, such as Telnet, FTP, and legacy SMB, to reduce the attack surface.
  • Use firewall rules to block traffic on unused ports and protocols.

Network Segmentation and Isolation:

  • Use VLANs, firewalls, or micro-segmentation to isolate critical network resources from general access.
  • Restrict communication between subnets to prevent lateral movement.

Monitor and Log Access:

  • Monitor access attempts to file shares, RDP, and remote network resources using SIEM tools.
  • Enable auditing and logging for successful and failed attempts to access restricted resources.

Tools for Implementation

File Share Management:

  • Microsoft Active Directory Group Policies
  • Samba (Linux/Unix file share management)
  • AccessEnum (Windows access auditing tool)

Secure Remote Access:

  • Microsoft Remote Desktop Gateway
  • Apache Guacamole (open-source RDP/VNC gateway)
  • Zero Trust solutions: Tailscale, Cloudflare Zero Trust

Service and Protocol Hardening:

  • Nmap or Nessus for network service discovery
  • Windows Group Policy Editor for disabling SMBv1, Telnet, and legacy protocols
  • iptables or firewalld (Linux) for blocking unnecessary traffic

Network Segmentation:

  • pfSense for open-source network isolation
Cluster A Galaxy A Cluster B Galaxy B Level
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
Hardware Additions - T1200 (d40239b3-05ff-46d8-9bdd-b46d13463ef9) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action Deploy Container - T1610 (56e0d8b8-3e25-49dd-9050-3aa252f5aa92) Attack Pattern 1
Build Image on Host - T1612 (800f9819-7007-4540-a520-40e655876800) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action Container and Resource Discovery - T1613 (0470e792-32f8-46b0-a351-652bc35e9336) Attack Pattern 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern Limit Access to Resource Over Network - M1035 (1dcaeb21-9348-42ea-950a-f842aaf1ae1f) Course of Action 1
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
ARP Cache Poisoning - T1557.002 (cabe189c-a0e3-4965-a473-dcff00f17213) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 2
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern 2
Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2