Detect External Remote Services in Google Chronicle
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Adversaries typically obtain valid credentials first via phishing, credential stuffing, or prior compromise, then authenticate to these services from external infrastructure. This technique covers VPN gateways (GlobalProtect, AnyConnect, Pulse Secure, SoftEther), Remote Desktop Protocol, Windows Remote Management, Citrix, VNC, SSH, and exposed container APIs (Docker daemon on TCP 2375/2376, Kubernetes API server on 6443, kubelet on 10250). Threat groups including LAPSUS$, Volt Typhoon, Ember Bear, OilRig, GALLIUM, Scattered Spider, APT41, and Sandworm Team have been observed abusing legitimate remote access mechanisms for initial access and persistent footholds. In containerized environments, adversaries may target exposed Docker APIs or Kubernetes management interfaces that accept anonymous or unauthenticated connections. Adversaries may also establish persistence through Tor hidden services using tools like ShadowLink, which may masquerade as legitimate Windows Defender components to forward inbound RDP connections over the Tor network.
MITRE ATT&CK
- Tactic
- Persistence Initial Access
- Technique
- T1133 External Remote Services
- Canonical reference
- https://attack.mitre.org/techniques/T1133/
YARA-L Detection Query
rule t1133_external_remote_services {
meta:
author = "df00tech"
description = "Detects T1133 - External Remote Services: RDP and network logons from non-RFC1918 IP addresses indicating external initial access or persistence via remote services"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "T1133"
severity = "HIGH"
confidence = "HIGH"
version = "1.0"
events:
$e.metadata.event_type = "USER_LOGIN"
$e.principal.ip != ""
not re.regex($e.principal.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1|fe80)`)
$e.target.user.userid != ""
not re.regex($e.target.user.userid, `.*\$$`)
(
$e.extensions.auth.mechanism = "REMOTE_INTERACTIVE" or
$e.extensions.auth.mechanism = "NETWORK"
)
condition:
$e
}Detects T1133 - External Remote Services using Google Chronicle YARA-L 2.0. Matches USER_LOGIN UDM events where the principal IP is a non-RFC1918 address and the authentication mechanism indicates remote interactive (RDP mapped to REMOTE_INTERACTIVE) or network-based (WinRM/SMB mapped to NETWORK) logon. Backtick raw strings used for regex patterns to avoid escape conflicts. Machine accounts excluded via suffix regex match on userid.
Data Sources
Required Tables
False Positives & Tuning
- Authorized remote administrators whose source IP ranges are not covered by Chronicle reference list exceptions, especially during after-hours incident response or on-call escalations
- Cloud identity providers (Okta, Entra ID) where the recorded principal IP reflects IdP proxy infrastructure IP rather than the actual end-user's client address
- Geographic IP misclassification where legitimate corporate egress IPs are not recognized as internal due to incomplete or outdated CIDR coverage in the detection CIDR exclusion logic
Other platforms for T1133
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enable and Connect via RDP to Generate LogonType 10 Event (Windows)
Expected signal: Windows Security EventID 4624 with LogonType=10 (RemoteInteractive) and IpAddress=127.0.0.1 in Security event log. Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational EventID 1149 recording the RDP connection with username and source address. Microsoft-Windows-TerminalServices-LocalSessionManager/Operational EventID 21 (session logon) and 22 (shell start) on successful session establishment.
- Test 2WinRM Network Logon to Generate LogonType 3 Event (Windows)
Expected signal: Windows Security EventID 4624 with LogonType=3 (Network) and AuthenticationPackageName=NTLM or Kerberos. Sysmon EventID 3 (Network Connection) from wsmprovhost.exe (WinRM provider host). Sysmon EventID 1 (Process Create) for wsmprovhost.exe. PowerShell ScriptBlock Log EventID 4104 for executed commands. Windows Remote Management log in Microsoft-Windows-WinRM/Operational.
- Test 3Query Exposed Docker API to Simulate TeamTNT Initial Access (Linux)
Expected signal: Docker daemon log (/var/log/docker.log or journalctl -u docker --since '5 minutes ago'): GET /version and GET /containers/json HTTP requests logged with source IP and timestamp. Network connection to TCP 2375 visible in ss -tnp or netstat output. Auditd syscall events for the accept() and read() syscalls if network auditing is enabled. Sysmon for Linux EventID 3 if deployed.
- Test 4SSH Repeated Failed Authentication Followed by Success (Linux)
Expected signal: Linux auth log (/var/log/auth.log on Debian/Ubuntu or /var/log/secure on RHEL/CentOS): multiple 'Invalid user nonexistentuser_N from 127.0.0.1' and 'Failed none for invalid user' entries. Sysmon for Linux EventID 3 (Network Connection) from ssh client process to port 22. Auditd USER_AUTH records for each failed attempt with res=failed. fail2ban log entries if deployed.
References (12)
- https://attack.mitre.org/techniques/T1133/
- https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
- https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
- https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue
- https://media.defense.gov/2024/Feb/07/2003377460/-1/-1/0/CSA-PRC-CRITICAL-INFRASTRUCTURE.PDF
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicelogonevents-table
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md
- https://sygnia.co/threat-intelligence-reports/velvet-ant/
Unlock Pro Content
Get the full detection package for T1133 including response playbook, investigation guide, and atomic red team tests.