T1133 External Remote Services Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let PrivateRanges = dynamic(["10.", "172.16.", "172.17.", "172.18.", "172.19.", "172.20.",
    "172.21.", "172.22.", "172.23.", "172.24.", "172.25.", "172.26.", "172.27.", "172.28.",
    "172.29.", "172.30.", "172.31.", "192.168.", "127.", "::1", "fe80"]);
let RemoteAccessApps = dynamic([
    "GlobalProtect", "Pulse Secure", "Cisco AnyConnect", "Fortinet SSL VPN",
    "Check Point Remote Access VPN", "F5 BIG-IP APM", "Citrix Gateway",
    "VMware Horizon", "RDP Gateway", "SoftEther VPN", "Juniper SSL VPN"]);
// Branch 1: Azure AD sign-ins to remote access applications from external IPs
let AADSignIns = SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| where AppDisplayName has_any (RemoteAccessApps)
| where not(IPAddress has_any (PrivateRanges))
| extend DetectionBranch = "AAD_VPN_Citrix_External"
| project TimeGenerated, AccountName = UserPrincipalName, SourceIP = IPAddress,
          TargetService = AppDisplayName, DetectionBranch, Location,
          RiskLevel = RiskLevelDuringSignIn;
// Branch 2: RDP logons (LogonType 10 = RemoteInteractive) from external IPs
let ExternalRDP = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4624
| where LogonType == 10
| where IpAddress !in ("", "-", "127.0.0.1", "::1")
| where not(IpAddress has_any (PrivateRanges))
| extend DetectionBranch = "SecurityEvent_RDP_External"
| project TimeGenerated, AccountName = TargetUserName, SourceIP = IpAddress,
          TargetService = "RDP_RemoteInteractive", DetectionBranch, Computer;
// Branch 3: Network logons (LogonType 3) from external IPs — covers WinRM, SMB, Net Use
let ExternalNetworkLogon = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4624
| where LogonType == 3
| where IpAddress !in ("", "-", "127.0.0.1", "::1")
| where not(IpAddress has_any (PrivateRanges))
| where TargetUserName !endswith "$"  // Exclude machine accounts
| extend DetectionBranch = "SecurityEvent_NetworkLogon_External"
| project TimeGenerated, AccountName = TargetUserName, SourceIP = IpAddress,
          TargetService = "Network_WinRM", DetectionBranch, Computer;
// Branch 4: MDE endpoint-side remote logon telemetry
let MDERemoteLogons = DeviceLogonEvents
| where Timestamp > ago(24h)
| where ActionType == "LogonSuccess"
| where LogonType in ("RemoteInteractive", "Network")
| where RemoteIPType == "Public"
| extend DetectionBranch = "MDE_RemoteLogon_External"
| project TimeGenerated = Timestamp, AccountName, SourceIP = RemoteIP,
          TargetService = strcat("MDE_", LogonType), DetectionBranch,
          Computer = DeviceName;
union AADSignIns, ExternalRDP, ExternalNetworkLogon, MDERemoteLogons
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Authentication: Authentication Logon Session: Logon Session Creation Network Traffic: Network Traffic Flow Azure Active Directory Sign-in Logs Microsoft Defender for Endpoint

Required Tables

SigninLogs SecurityEvent DeviceLogonEvents

False Positives

Legitimate remote workers connecting to corporate VPN or Citrix from home or hotel networks — the external IP is expected and authorized
IT administrators using RDP or WinRM from authorized jump hosts or bastion servers with external-routable IPs
Third-party vendors and contractors with documented remote access agreements connecting from their own infrastructure
Cloud-hosted management planes (Azure DevOps agents, AWS Systems Manager, etc.) whose gateway IPs appear external
Employees traveling internationally whose access from a foreign country IP triggers the detection despite valid authorization

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 (LogonType=10 OR LogonType=3)
| eval SourceIP=coalesce(IpAddress, src_ip, "-")
| where SourceIP != "-" AND SourceIP != "" AND SourceIP != "127.0.0.1" AND SourceIP != "::1"
| where NOT match(SourceIP, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|fe80|::1|0\.0\.0\.0)")
| eval ServiceType=case(
    LogonType=10, "RDP_RemoteInteractive",
    LogonType=3,  "Network_WinRM_SMB",
    true(),       "Other")
| eval AccountName=coalesce(TargetUserName, user)
| where NOT match(AccountName, "\$$")
| eval AuthPackage=coalesce(AuthenticationPackageName, "-")
| eval IsHighValue=if(LogonType=10, "YES", "NO")
| table _time, host, AccountName, SourceIP, ServiceType, IsHighValue, AuthPackage, WorkstationName, LogonType
| sort - IsHighValue, - _time

high severity medium confidence

Data Sources

Authentication: Authentication Logon Session: Logon Session Creation Windows Security Event Log

Required Sourcetypes

WinEventLog:Security

False Positives

Remote workers authenticating through corporate VPN where the VPN concentrator IP appears as the source — the source IP will show as the VPN gateway, not the employee's home IP
IT staff performing authorized remote administration from jump servers or cloud management hosts with external-routable IPs
Monitoring and ITSM platforms (SCCM, Ansible, ServiceNow MID Server) whose management network addresses are external-routable
Cloud virtual desktops (Azure Virtual Desktop, Citrix Cloud) where the cloud gateway IP is external and proxies the session
Disaster recovery or business continuity scenarios where staff access systems from non-standard locations

Elastic Security (EQL)

eql

authentication where
  event.code == "4624" and
  (
    winlog.event_data.LogonType == "10" or
    winlog.event_data.LogonType == "3"
  ) and
  source.ip != null and
  source.ip != "127.0.0.1" and
  source.ip != "::1" and
  not cidrmatch(source.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16") and
  not winlog.event_data.TargetUserName like "*$" and
  winlog.event_data.TargetUserName != "-" and
  winlog.event_data.TargetUserName != ""

high severity high confidence

Data Sources

Windows Event Logs Winlogbeat Elastic Agent System Integration

Required Tables

logs-system.security* winlogbeat-* .ds-logs-system.security*

False Positives

Legitimate remote employees on split-tunnel VPN configurations where the endpoint records the user's public ISP IP rather than the VPN gateway address in logon events
IT administrators performing authorized RDP sessions from home networks or travel locations not covered by corporate IP allowlists
Third-party vendors or managed service providers with standing remote access agreements using their own network IP ranges for scheduled maintenance

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  username AS AccountName,
  SOURCEIP AS SourceIP,
  "Logon Type" AS LogonType,
  QIDNAME(qid) AS EventName,
  hostname AS TargetHost,
  CASE
    WHEN "Logon Type" = '10' THEN 'RDP_RemoteInteractive'
    WHEN "Logon Type" = '3'  THEN 'Network_WinRM_SMB'
    ELSE 'Other'
  END AS ServiceType
FROM events
WHERE LOGSOURCETYPEID IN (12, 73)
  AND "Event ID" = 4624
  AND ("Logon Type" = '10' OR "Logon Type" = '3')
  AND SOURCEIP IS NOT NULL
  AND SOURCEIP != '0.0.0.0'
  AND SOURCEIP != '127.0.0.1'
  AND NOT INCIDR(SOURCEIP, '10.0.0.0/8')
  AND NOT INCIDR(SOURCEIP, '172.16.0.0/12')
  AND NOT INCIDR(SOURCEIP, '192.168.0.0/16')
  AND NOT INCIDR(SOURCEIP, '127.0.0.0/8')
  AND username NOT LIKE '%$'
  AND username != '-'
  AND username != ''
LAST 24 HOURS
ORDER BY starttime DESC

high severity high confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log WinCollect Agent Microsoft Windows DSM

Required Tables

events

False Positives

Remote workers using split-tunnel VPN where the source IP recorded in the Security event log reflects the user's public ISP address rather than the corporate VPN gateway
Managed service providers with pre-approved external access ranges performing scheduled maintenance RDP sessions outside business hours
Automated backup or monitoring agents that authenticate via network logon from cloud-hosted infrastructure with public IP addresses not yet added to CIDR exclusion lists

Sumo Logic CSE

sql

_sourceCategory=windows/security OR _sourceCategory=windows/events
| where EventCode = "4624"
| parse field=Message "Logon Type:*" as LogonType nodrop
| parse field=Message "Account Name:*" as AccountName nodrop
| parse field=Message "Source Network Address:*" as SourceIP nodrop
| parse field=Message "Source Port:*" as SourcePort nodrop
| where LogonType = "10" OR LogonType = "3"
| where SourceIP != "-" AND SourceIP != "" AND SourceIP != "127.0.0.1" AND SourceIP != "::1" AND SourceIP != "0.0.0.0"
| where !matches(SourceIP, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|fe80|::1)")
| where !endsWith(AccountName, "$")
| eval ServiceType = if(LogonType = "10", "RDP_RemoteInteractive", "Network_WinRM_SMB")
| eval IsHighValue = if(LogonType = "10", "YES", "NO")
| table _time, _sourceHost, AccountName, SourceIP, ServiceType, IsHighValue, LogonType, SourcePort
| sort - IsHighValue, - _time

high severity high confidence

Data Sources

Sumo Logic Windows Security Event Log Sumo Logic Installed Collector

Required Tables

windows/security windows/events

False Positives

Legitimate remote employees connecting directly to corporate resources from home broadband connections without VPN IP masking at the endpoint level
IT support platforms such as remote management software that initiate network logons from their relay or proxy server public IP addresses rather than the end-user's IP
Cross-domain or cross-forest trust authentication where domain controllers record the authenticating DC's external IP address during inter-forest trust traversal

Google Chronicle / SecOps

yaral

rule t1133_external_remote_services {
  meta:
    author = "df00tech"
    description = "Detects T1133 - External Remote Services: RDP and network logons from non-RFC1918 IP addresses indicating external initial access or persistence via remote services"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1133"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.principal.ip != ""
    not re.regex($e.principal.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1|fe80)`)
    $e.target.user.userid != ""
    not re.regex($e.target.user.userid, `.*\$$`)
    (
      $e.extensions.auth.mechanism = "REMOTE_INTERACTIVE" or
      $e.extensions.auth.mechanism = "NETWORK"
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle Windows Event Forwarding Chronicle UDM Normalization Google Workspace / Identity Logs

Required Tables

UDM Events (USER_LOGIN type)

False Positives

Authorized remote administrators whose source IP ranges are not covered by Chronicle reference list exceptions, especially during after-hours incident response or on-call escalations
Cloud identity providers (Okta, Entra ID) where the recorded principal IP reflects IdP proxy infrastructure IP rather than the actual end-user's client address
Geographic IP misclassification where legitimate corporate egress IPs are not recognized as internal due to incomplete or outdated CIDR coverage in the detection CIDR exclusion logic

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "UserLogon"
| LogonType in values=[10, 3]
| RemoteAddressIP4 != "0.0.0.0"
| RemoteAddressIP4 != "127.0.0.1"
| RemoteAddressIP4 != "::1"
| !cidr(RemoteAddressIP4, subnet="10.0.0.0/8")
| !cidr(RemoteAddressIP4, subnet="172.16.0.0/12")
| !cidr(RemoteAddressIP4, subnet="192.168.0.0/16")
| !cidr(RemoteAddressIP4, subnet="127.0.0.0/8")
| !match(field=UserName, regex=@"\$$")
| UserName != "-"
| UserName != ""
| ServiceType := case {
    LogonType = "10" => "RDP_RemoteInteractive";
    LogonType = "3" => "Network_WinRM_SMB";
    * => "Other"
  }
| IsHighValue := if(LogonType = "10", "YES", "NO")
| table([_time, ComputerName, UserName, RemoteAddressIP4, ServiceType, IsHighValue, LogonType])
| sort(field=IsHighValue, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale Falcon Sensor Endpoint Telemetry

Required Tables

UserLogon (#event_simpleName)

False Positives

Remote employees whose home or travel IP addresses fall outside the corporate CIDR exclusion lists maintained in the LogScale lookup tables
CrowdStrike-enrolled endpoints accessed by authorized vendor support teams via RDP from their own organization's network ranges not in the exclusion list
Cloud workloads hosted in AWS, Azure, or GCP that accept inbound network authentication from other cloud-hosted services presenting public IP addresses as part of normal architecture

External Remote Services

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Persistence

Popular Detections