Detect External Remote Services in Elastic Security
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Adversaries typically obtain valid credentials first via phishing, credential stuffing, or prior compromise, then authenticate to these services from external infrastructure. This technique covers VPN gateways (GlobalProtect, AnyConnect, Pulse Secure, SoftEther), Remote Desktop Protocol, Windows Remote Management, Citrix, VNC, SSH, and exposed container APIs (Docker daemon on TCP 2375/2376, Kubernetes API server on 6443, kubelet on 10250). Threat groups including LAPSUS$, Volt Typhoon, Ember Bear, OilRig, GALLIUM, Scattered Spider, APT41, and Sandworm Team have been observed abusing legitimate remote access mechanisms for initial access and persistent footholds. In containerized environments, adversaries may target exposed Docker APIs or Kubernetes management interfaces that accept anonymous or unauthenticated connections. Adversaries may also establish persistence through Tor hidden services using tools like ShadowLink, which may masquerade as legitimate Windows Defender components to forward inbound RDP connections over the Tor network.
MITRE ATT&CK
- Tactic
- Persistence Initial Access
- Technique
- T1133 External Remote Services
- Canonical reference
- https://attack.mitre.org/techniques/T1133/
Elastic Detection Query
authentication where
event.code == "4624" and
(
winlog.event_data.LogonType == "10" or
winlog.event_data.LogonType == "3"
) and
source.ip != null and
source.ip != "127.0.0.1" and
source.ip != "::1" and
not cidrmatch(source.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16") and
not winlog.event_data.TargetUserName like "*$" and
winlog.event_data.TargetUserName != "-" and
winlog.event_data.TargetUserName != ""Detects T1133 - External Remote Services by identifying Windows Security Event 4624 logons with LogonType 10 (RemoteInteractive/RDP) or LogonType 3 (Network/WinRM) originating from non-RFC1918 IP addresses. Excludes machine accounts and private address space to surface external adversarial access via exposed remote services including VPN gateways, RDP, WinRM, Citrix, and similar external-facing services.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate remote employees on split-tunnel VPN configurations where the endpoint records the user's public ISP IP rather than the VPN gateway address in logon events
- IT administrators performing authorized RDP sessions from home networks or travel locations not covered by corporate IP allowlists
- Third-party vendors or managed service providers with standing remote access agreements using their own network IP ranges for scheduled maintenance
Other platforms for T1133
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enable and Connect via RDP to Generate LogonType 10 Event (Windows)
Expected signal: Windows Security EventID 4624 with LogonType=10 (RemoteInteractive) and IpAddress=127.0.0.1 in Security event log. Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational EventID 1149 recording the RDP connection with username and source address. Microsoft-Windows-TerminalServices-LocalSessionManager/Operational EventID 21 (session logon) and 22 (shell start) on successful session establishment.
- Test 2WinRM Network Logon to Generate LogonType 3 Event (Windows)
Expected signal: Windows Security EventID 4624 with LogonType=3 (Network) and AuthenticationPackageName=NTLM or Kerberos. Sysmon EventID 3 (Network Connection) from wsmprovhost.exe (WinRM provider host). Sysmon EventID 1 (Process Create) for wsmprovhost.exe. PowerShell ScriptBlock Log EventID 4104 for executed commands. Windows Remote Management log in Microsoft-Windows-WinRM/Operational.
- Test 3Query Exposed Docker API to Simulate TeamTNT Initial Access (Linux)
Expected signal: Docker daemon log (/var/log/docker.log or journalctl -u docker --since '5 minutes ago'): GET /version and GET /containers/json HTTP requests logged with source IP and timestamp. Network connection to TCP 2375 visible in ss -tnp or netstat output. Auditd syscall events for the accept() and read() syscalls if network auditing is enabled. Sysmon for Linux EventID 3 if deployed.
- Test 4SSH Repeated Failed Authentication Followed by Success (Linux)
Expected signal: Linux auth log (/var/log/auth.log on Debian/Ubuntu or /var/log/secure on RHEL/CentOS): multiple 'Invalid user nonexistentuser_N from 127.0.0.1' and 'Failed none for invalid user' entries. Sysmon for Linux EventID 3 (Network Connection) from ssh client process to port 22. Auditd USER_AUTH records for each failed attempt with res=failed. fail2ban log entries if deployed.
References (12)
- https://attack.mitre.org/techniques/T1133/
- https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
- https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
- https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue
- https://media.defense.gov/2024/Feb/07/2003377460/-1/-1/0/CSA-PRC-CRITICAL-INFRASTRUCTURE.PDF
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicelogonevents-table
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md
- https://sygnia.co/threat-intelligence-reports/velvet-ant/
Unlock Pro Content
Get the full detection package for T1133 including response playbook, investigation guide, and atomic red team tests.