T1133 Microsoft Sentinel · KQL

Detect External Remote Services in Microsoft Sentinel

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Adversaries typically obtain valid credentials first via phishing, credential stuffing, or prior compromise, then authenticate to these services from external infrastructure. This technique covers VPN gateways (GlobalProtect, AnyConnect, Pulse Secure, SoftEther), Remote Desktop Protocol, Windows Remote Management, Citrix, VNC, SSH, and exposed container APIs (Docker daemon on TCP 2375/2376, Kubernetes API server on 6443, kubelet on 10250). Threat groups including LAPSUS$, Volt Typhoon, Ember Bear, OilRig, GALLIUM, Scattered Spider, APT41, and Sandworm Team have been observed abusing legitimate remote access mechanisms for initial access and persistent footholds. In containerized environments, adversaries may target exposed Docker APIs or Kubernetes management interfaces that accept anonymous or unauthenticated connections. Adversaries may also establish persistence through Tor hidden services using tools like ShadowLink, which may masquerade as legitimate Windows Defender components to forward inbound RDP connections over the Tor network.

MITRE ATT&CK

Tactic
Persistence Initial Access
Technique
T1133 External Remote Services
Canonical reference
https://attack.mitre.org/techniques/T1133/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let PrivateRanges = dynamic(["10.", "172.16.", "172.17.", "172.18.", "172.19.", "172.20.",
    "172.21.", "172.22.", "172.23.", "172.24.", "172.25.", "172.26.", "172.27.", "172.28.",
    "172.29.", "172.30.", "172.31.", "192.168.", "127.", "::1", "fe80"]);
let RemoteAccessApps = dynamic([
    "GlobalProtect", "Pulse Secure", "Cisco AnyConnect", "Fortinet SSL VPN",
    "Check Point Remote Access VPN", "F5 BIG-IP APM", "Citrix Gateway",
    "VMware Horizon", "RDP Gateway", "SoftEther VPN", "Juniper SSL VPN"]);
// Branch 1: Azure AD sign-ins to remote access applications from external IPs
let AADSignIns = SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| where AppDisplayName has_any (RemoteAccessApps)
| where not(IPAddress has_any (PrivateRanges))
| extend DetectionBranch = "AAD_VPN_Citrix_External"
| project TimeGenerated, AccountName = UserPrincipalName, SourceIP = IPAddress,
          TargetService = AppDisplayName, DetectionBranch, Location,
          RiskLevel = RiskLevelDuringSignIn;
// Branch 2: RDP logons (LogonType 10 = RemoteInteractive) from external IPs
let ExternalRDP = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4624
| where LogonType == 10
| where IpAddress !in ("", "-", "127.0.0.1", "::1")
| where not(IpAddress has_any (PrivateRanges))
| extend DetectionBranch = "SecurityEvent_RDP_External"
| project TimeGenerated, AccountName = TargetUserName, SourceIP = IpAddress,
          TargetService = "RDP_RemoteInteractive", DetectionBranch, Computer;
// Branch 3: Network logons (LogonType 3) from external IPs — covers WinRM, SMB, Net Use
let ExternalNetworkLogon = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4624
| where LogonType == 3
| where IpAddress !in ("", "-", "127.0.0.1", "::1")
| where not(IpAddress has_any (PrivateRanges))
| where TargetUserName !endswith "$"  // Exclude machine accounts
| extend DetectionBranch = "SecurityEvent_NetworkLogon_External"
| project TimeGenerated, AccountName = TargetUserName, SourceIP = IpAddress,
          TargetService = "Network_WinRM", DetectionBranch, Computer;
// Branch 4: MDE endpoint-side remote logon telemetry
let MDERemoteLogons = DeviceLogonEvents
| where Timestamp > ago(24h)
| where ActionType == "LogonSuccess"
| where LogonType in ("RemoteInteractive", "Network")
| where RemoteIPType == "Public"
| extend DetectionBranch = "MDE_RemoteLogon_External"
| project TimeGenerated = Timestamp, AccountName, SourceIP = RemoteIP,
          TargetService = strcat("MDE_", LogonType), DetectionBranch,
          Computer = DeviceName;
union AADSignIns, ExternalRDP, ExternalNetworkLogon, MDERemoteLogons
| sort by TimeGenerated desc
high severity medium confidence

Multi-branch detection for T1133 External Remote Services abuse. Branch 1 monitors Azure AD SigninLogs for successful authentication to known VPN and Citrix applications from non-RFC1918 IPs. Branch 2 detects Security Event 4624 LogonType 10 (RemoteInteractive/RDP) from external IPs. Branch 3 detects Security Event 4624 LogonType 3 (Network/WinRM) from external IPs, excluding machine accounts. Branch 4 uses Microsoft Defender for Endpoint DeviceLogonEvents for endpoint-side telemetry filtered to RemoteIPType == Public. All branches exclude RFC 1918 private address ranges, loopback, and link-local addresses.

Data Sources

Authentication: AuthenticationLogon Session: Logon Session CreationNetwork Traffic: Network Traffic FlowAzure Active Directory Sign-in LogsMicrosoft Defender for Endpoint

Required Tables

SigninLogsSecurityEventDeviceLogonEvents

False Positives & Tuning

  • Legitimate remote workers connecting to corporate VPN or Citrix from home or hotel networks — the external IP is expected and authorized
  • IT administrators using RDP or WinRM from authorized jump hosts or bastion servers with external-routable IPs
  • Third-party vendors and contractors with documented remote access agreements connecting from their own infrastructure
  • Cloud-hosted management planes (Azure DevOps agents, AWS Systems Manager, etc.) whose gateway IPs appear external
  • Employees traveling internationally whose access from a foreign country IP triggers the detection despite valid authorization
Download portable Sigma rule (.yml)

Other platforms for T1133

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enable and Connect via RDP to Generate LogonType 10 Event (Windows)

    Expected signal: Windows Security EventID 4624 with LogonType=10 (RemoteInteractive) and IpAddress=127.0.0.1 in Security event log. Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational EventID 1149 recording the RDP connection with username and source address. Microsoft-Windows-TerminalServices-LocalSessionManager/Operational EventID 21 (session logon) and 22 (shell start) on successful session establishment.

  2. Test 2WinRM Network Logon to Generate LogonType 3 Event (Windows)

    Expected signal: Windows Security EventID 4624 with LogonType=3 (Network) and AuthenticationPackageName=NTLM or Kerberos. Sysmon EventID 3 (Network Connection) from wsmprovhost.exe (WinRM provider host). Sysmon EventID 1 (Process Create) for wsmprovhost.exe. PowerShell ScriptBlock Log EventID 4104 for executed commands. Windows Remote Management log in Microsoft-Windows-WinRM/Operational.

  3. Test 3Query Exposed Docker API to Simulate TeamTNT Initial Access (Linux)

    Expected signal: Docker daemon log (/var/log/docker.log or journalctl -u docker --since '5 minutes ago'): GET /version and GET /containers/json HTTP requests logged with source IP and timestamp. Network connection to TCP 2375 visible in ss -tnp or netstat output. Auditd syscall events for the accept() and read() syscalls if network auditing is enabled. Sysmon for Linux EventID 3 if deployed.

  4. Test 4SSH Repeated Failed Authentication Followed by Success (Linux)

    Expected signal: Linux auth log (/var/log/auth.log on Debian/Ubuntu or /var/log/secure on RHEL/CentOS): multiple 'Invalid user nonexistentuser_N from 127.0.0.1' and 'Failed none for invalid user' entries. Sysmon for Linux EventID 3 (Network Connection) from ssh client process to port 22. Auditd USER_AUTH records for each failed attempt with res=failed. fail2ban log entries if deployed.

Last updated: 2026-04-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1133 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078Valid AccountsT1078.001Default AccountsT1078.002Domain AccountsT1078.004Cloud AccountsT1110.003Password SprayingT1110.004Credential StuffingT1021.001Remote Desktop ProtocolT1021.004SSHT1021.006Windows Remote ManagementT1048Exfiltration Over Alternative ProtocolT1090.003Multi-hop ProxyT1557Adversary-in-the-Middle

Same Tactic: Persistence

Popular Detections