Detect External Remote Services in Splunk
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Adversaries typically obtain valid credentials first via phishing, credential stuffing, or prior compromise, then authenticate to these services from external infrastructure. This technique covers VPN gateways (GlobalProtect, AnyConnect, Pulse Secure, SoftEther), Remote Desktop Protocol, Windows Remote Management, Citrix, VNC, SSH, and exposed container APIs (Docker daemon on TCP 2375/2376, Kubernetes API server on 6443, kubelet on 10250). Threat groups including LAPSUS$, Volt Typhoon, Ember Bear, OilRig, GALLIUM, Scattered Spider, APT41, and Sandworm Team have been observed abusing legitimate remote access mechanisms for initial access and persistent footholds. In containerized environments, adversaries may target exposed Docker APIs or Kubernetes management interfaces that accept anonymous or unauthenticated connections. Adversaries may also establish persistence through Tor hidden services using tools like ShadowLink, which may masquerade as legitimate Windows Defender components to forward inbound RDP connections over the Tor network.
MITRE ATT&CK
- Tactic
- Persistence Initial Access
- Technique
- T1133 External Remote Services
- Canonical reference
- https://attack.mitre.org/techniques/T1133/
SPL Detection Query
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 (LogonType=10 OR LogonType=3)
| eval SourceIP=coalesce(IpAddress, src_ip, "-")
| where SourceIP != "-" AND SourceIP != "" AND SourceIP != "127.0.0.1" AND SourceIP != "::1"
| where NOT match(SourceIP, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|fe80|::1|0\.0\.0\.0)")
| eval ServiceType=case(
LogonType=10, "RDP_RemoteInteractive",
LogonType=3, "Network_WinRM_SMB",
true(), "Other")
| eval AccountName=coalesce(TargetUserName, user)
| where NOT match(AccountName, "\$$")
| eval AuthPackage=coalesce(AuthenticationPackageName, "-")
| eval IsHighValue=if(LogonType=10, "YES", "NO")
| table _time, host, AccountName, SourceIP, ServiceType, IsHighValue, AuthPackage, WorkstationName, LogonType
| sort - IsHighValue, - _timeDetects suspicious remote logons from external IP addresses using Windows Security Event ID 4624. Filters for LogonType 10 (RemoteInteractive/RDP) and LogonType 3 (Network/WinRM) while excluding all RFC 1918 private address ranges, loopback addresses, and machine accounts (accounts ending with $). Flags RDP sessions as IsHighValue=YES since direct external RDP is rarely expected in hardened environments. Authentication package field distinguishes Kerberos SSO (typical for domain-joined remote work) from NTLM (common in credential stuffing and lateral movement).
Data Sources
Required Sourcetypes
False Positives & Tuning
- Remote workers authenticating through corporate VPN where the VPN concentrator IP appears as the source — the source IP will show as the VPN gateway, not the employee's home IP
- IT staff performing authorized remote administration from jump servers or cloud management hosts with external-routable IPs
- Monitoring and ITSM platforms (SCCM, Ansible, ServiceNow MID Server) whose management network addresses are external-routable
- Cloud virtual desktops (Azure Virtual Desktop, Citrix Cloud) where the cloud gateway IP is external and proxies the session
- Disaster recovery or business continuity scenarios where staff access systems from non-standard locations
Other platforms for T1133
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enable and Connect via RDP to Generate LogonType 10 Event (Windows)
Expected signal: Windows Security EventID 4624 with LogonType=10 (RemoteInteractive) and IpAddress=127.0.0.1 in Security event log. Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational EventID 1149 recording the RDP connection with username and source address. Microsoft-Windows-TerminalServices-LocalSessionManager/Operational EventID 21 (session logon) and 22 (shell start) on successful session establishment.
- Test 2WinRM Network Logon to Generate LogonType 3 Event (Windows)
Expected signal: Windows Security EventID 4624 with LogonType=3 (Network) and AuthenticationPackageName=NTLM or Kerberos. Sysmon EventID 3 (Network Connection) from wsmprovhost.exe (WinRM provider host). Sysmon EventID 1 (Process Create) for wsmprovhost.exe. PowerShell ScriptBlock Log EventID 4104 for executed commands. Windows Remote Management log in Microsoft-Windows-WinRM/Operational.
- Test 3Query Exposed Docker API to Simulate TeamTNT Initial Access (Linux)
Expected signal: Docker daemon log (/var/log/docker.log or journalctl -u docker --since '5 minutes ago'): GET /version and GET /containers/json HTTP requests logged with source IP and timestamp. Network connection to TCP 2375 visible in ss -tnp or netstat output. Auditd syscall events for the accept() and read() syscalls if network auditing is enabled. Sysmon for Linux EventID 3 if deployed.
- Test 4SSH Repeated Failed Authentication Followed by Success (Linux)
Expected signal: Linux auth log (/var/log/auth.log on Debian/Ubuntu or /var/log/secure on RHEL/CentOS): multiple 'Invalid user nonexistentuser_N from 127.0.0.1' and 'Failed none for invalid user' entries. Sysmon for Linux EventID 3 (Network Connection) from ssh client process to port 22. Auditd USER_AUTH records for each failed attempt with res=failed. fail2ban log entries if deployed.
References (12)
- https://attack.mitre.org/techniques/T1133/
- https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
- https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
- https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue
- https://media.defense.gov/2024/Feb/07/2003377460/-1/-1/0/CSA-PRC-CRITICAL-INFRASTRUCTURE.PDF
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicelogonevents-table
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md
- https://sygnia.co/threat-intelligence-reports/velvet-ant/
Unlock Pro Content
Get the full detection package for T1133 including response playbook, investigation guide, and atomic red team tests.