Detect External Remote Services in IBM QRadar
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Adversaries typically obtain valid credentials first via phishing, credential stuffing, or prior compromise, then authenticate to these services from external infrastructure. This technique covers VPN gateways (GlobalProtect, AnyConnect, Pulse Secure, SoftEther), Remote Desktop Protocol, Windows Remote Management, Citrix, VNC, SSH, and exposed container APIs (Docker daemon on TCP 2375/2376, Kubernetes API server on 6443, kubelet on 10250). Threat groups including LAPSUS$, Volt Typhoon, Ember Bear, OilRig, GALLIUM, Scattered Spider, APT41, and Sandworm Team have been observed abusing legitimate remote access mechanisms for initial access and persistent footholds. In containerized environments, adversaries may target exposed Docker APIs or Kubernetes management interfaces that accept anonymous or unauthenticated connections. Adversaries may also establish persistence through Tor hidden services using tools like ShadowLink, which may masquerade as legitimate Windows Defender components to forward inbound RDP connections over the Tor network.
MITRE ATT&CK
- Tactic
- Persistence Initial Access
- Technique
- T1133 External Remote Services
- Canonical reference
- https://attack.mitre.org/techniques/T1133/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
username AS AccountName,
SOURCEIP AS SourceIP,
"Logon Type" AS LogonType,
QIDNAME(qid) AS EventName,
hostname AS TargetHost,
CASE
WHEN "Logon Type" = '10' THEN 'RDP_RemoteInteractive'
WHEN "Logon Type" = '3' THEN 'Network_WinRM_SMB'
ELSE 'Other'
END AS ServiceType
FROM events
WHERE LOGSOURCETYPEID IN (12, 73)
AND "Event ID" = 4624
AND ("Logon Type" = '10' OR "Logon Type" = '3')
AND SOURCEIP IS NOT NULL
AND SOURCEIP != '0.0.0.0'
AND SOURCEIP != '127.0.0.1'
AND NOT INCIDR(SOURCEIP, '10.0.0.0/8')
AND NOT INCIDR(SOURCEIP, '172.16.0.0/12')
AND NOT INCIDR(SOURCEIP, '192.168.0.0/16')
AND NOT INCIDR(SOURCEIP, '127.0.0.0/8')
AND username NOT LIKE '%$'
AND username != '-'
AND username != ''
LAST 24 HOURS
ORDER BY starttime DESCDetects T1133 - External Remote Services in IBM QRadar by querying normalized Windows Security Event 4624 with LogonType 10 (RDP) or 3 (Network/WinRM) from non-private source IPs. Scoped to Windows Security log source types (LOGSOURCETYPEID 12 for Microsoft Windows Security Event Log, 73 for Microsoft Windows). INCIDR() filters all RFC1918 and loopback ranges. Machine accounts excluded via username suffix filter.
Data Sources
Required Tables
False Positives & Tuning
- Remote workers using split-tunnel VPN where the source IP recorded in the Security event log reflects the user's public ISP address rather than the corporate VPN gateway
- Managed service providers with pre-approved external access ranges performing scheduled maintenance RDP sessions outside business hours
- Automated backup or monitoring agents that authenticate via network logon from cloud-hosted infrastructure with public IP addresses not yet added to CIDR exclusion lists
Other platforms for T1133
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enable and Connect via RDP to Generate LogonType 10 Event (Windows)
Expected signal: Windows Security EventID 4624 with LogonType=10 (RemoteInteractive) and IpAddress=127.0.0.1 in Security event log. Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational EventID 1149 recording the RDP connection with username and source address. Microsoft-Windows-TerminalServices-LocalSessionManager/Operational EventID 21 (session logon) and 22 (shell start) on successful session establishment.
- Test 2WinRM Network Logon to Generate LogonType 3 Event (Windows)
Expected signal: Windows Security EventID 4624 with LogonType=3 (Network) and AuthenticationPackageName=NTLM or Kerberos. Sysmon EventID 3 (Network Connection) from wsmprovhost.exe (WinRM provider host). Sysmon EventID 1 (Process Create) for wsmprovhost.exe. PowerShell ScriptBlock Log EventID 4104 for executed commands. Windows Remote Management log in Microsoft-Windows-WinRM/Operational.
- Test 3Query Exposed Docker API to Simulate TeamTNT Initial Access (Linux)
Expected signal: Docker daemon log (/var/log/docker.log or journalctl -u docker --since '5 minutes ago'): GET /version and GET /containers/json HTTP requests logged with source IP and timestamp. Network connection to TCP 2375 visible in ss -tnp or netstat output. Auditd syscall events for the accept() and read() syscalls if network auditing is enabled. Sysmon for Linux EventID 3 if deployed.
- Test 4SSH Repeated Failed Authentication Followed by Success (Linux)
Expected signal: Linux auth log (/var/log/auth.log on Debian/Ubuntu or /var/log/secure on RHEL/CentOS): multiple 'Invalid user nonexistentuser_N from 127.0.0.1' and 'Failed none for invalid user' entries. Sysmon for Linux EventID 3 (Network Connection) from ssh client process to port 22. Auditd USER_AUTH records for each failed attempt with res=failed. fail2ban log entries if deployed.
References (12)
- https://attack.mitre.org/techniques/T1133/
- https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
- https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
- https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue
- https://media.defense.gov/2024/Feb/07/2003377460/-1/-1/0/CSA-PRC-CRITICAL-INFRASTRUCTURE.PDF
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicelogonevents-table
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md
- https://sygnia.co/threat-intelligence-reports/velvet-ant/
Unlock Pro Content
Get the full detection package for T1133 including response playbook, investigation guide, and atomic red team tests.