AC-17: Remote Access
From NIST's SP800-53:
a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1059.005 | Visual Basic | Execution |
| T1059.006 | Python | Execution |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1059.003 | Windows Command Shell | Execution |
| T1119 | Automated Collection | Collection |
| T1137 | Office Application Startup | Persistence |
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1021 | Remote Services | Lateral Movement |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1552.002 | Credentials in Registry | Credential Access |
| T1114.002 | Remote Email Collection | Collection |
| T1530 | Data from Cloud Storage | Collection |
| T1114.003 | Email Forwarding Rule | Collection |
| T1021.004 | SSH | Lateral Movement |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1602 | Data from Configuration Repository | Collection |
| T1550.001 | Application Access Token | Defense Evasion, Lateral Movement |
| T1565.001 | Stored Data Manipulation | Impact |
| T1610 | Deploy Container | Defense Evasion, Execution |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1613 | Container and Resource Discovery | Discovery |
| T1213 | Data from Information Repositories | Collection |
| T1047 | Windows Management Instrumentation | Execution |
| T1558.002 | Silver Ticket | Credential Access |
| T1213.001 | Confluence | Collection |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1505.005 | Terminal Services DLL | Persistence |
| T1114 | Email Collection | Collection |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1547.003 | Time Providers | Persistence, Privilege Escalation |
| T1213.002 | Sharepoint | Collection |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1552.007 | Container API | Credential Access |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1565.002 | Transmitted Data Manipulation | Impact |
| T1059.001 | PowerShell | Execution |
| T1552 | Unsecured Credentials | Credential Access |
| T1612 | Build Image on Host | Defense Evasion |
| T1558.003 | Kerberoasting | Credential Access |
| T1059.007 | JavaScript | Execution |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1619 | Cloud Storage Object Discovery | Discovery |
| T1547.009 | Shortcut Modification | Persistence, Privilege Escalation |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1059 | Command and Scripting Interpreter | Execution |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |