EXPLORE
Sign In
← Back to Explore
T1133

External Remote Services

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitr...

ContainersLinuxmacOSWindows
72
Detections
3
Sources
26
Threat Actors

BY SOURCE

35splunk_escu19sigma18elastic

PROCEDURES (40)

Remote5 detections

Auto-extracted: 5 detections for remote

Remote5 detections

Auto-extracted: 5 detections for remote

Authentication Monitoring5 detections

Auto-extracted: 5 detections for authentication monitoring

Privilege4 detections

Auto-extracted: 4 detections for privilege

Bypass3 detections

Auto-extracted: 3 detections for bypass

Api3 detections

Auto-extracted: 3 detections for api

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Inject3 detections

Auto-extracted: 3 detections for inject

Lateral2 detections

Auto-extracted: 2 detections for lateral

Dns2 detections

Auto-extracted: 2 detections for dns

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Unusual2 detections

Auto-extracted: 2 detections for unusual

Service2 detections

Auto-extracted: 2 detections for service

Inject2 detections

Auto-extracted: 2 detections for inject

Service2 detections

Auto-extracted: 2 detections for service

Unusual1 detections

Auto-extracted: 1 detections for unusual

Dns1 detections

Auto-extracted: 1 detections for dns

Http1 detections

Auto-extracted: 1 detections for http

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Http1 detections

Auto-extracted: 1 detections for http

Child Process1 detections

Auto-extracted: 1 detections for child process

Powershell1 detections

Auto-extracted: 1 detections for powershell

Child Process1 detections

Auto-extracted: 1 detections for child process

Powershell1 detections

Auto-extracted: 1 detections for powershell

C21 detections

Auto-extracted: 1 detections for c2

Aws1 detections

Auto-extracted: 1 detections for aws

Privilege1 detections

Auto-extracted: 1 detections for privilege

Powershell1 detections

Auto-extracted: 1 detections for powershell

Dns1 detections

Auto-extracted: 1 detections for dns

C21 detections

Auto-extracted: 1 detections for c2

Http1 detections

Auto-extracted: 1 detections for http

C21 detections

Auto-extracted: 1 detections for c2

Lateral1 detections

Auto-extracted: 1 detections for lateral

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Remote1 detections

Auto-extracted: 1 detections for remote

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

THREAT ACTORS (26)

AkiraAPT18APT28APT29APT41ChimeraDragonflyEmber BearFIN13FIN5GALLIUMGOLD SOUTHFIELDKe3changKimsukyLAPSUS$LeviathanOilRigPlaySandworm TeamScattered SpiderSea TurtleTeamTNTThreat Group-3390Velvet AntVolt TyphoonWizard Spider

DETECTIONS (72)

Accepted Default Telnet Port Connection
elasticmedium
AWS EC2 Network Access Control List Creation
elasticlow
AWS EC2 Security Group Configuration Change
elasticlow
AWS RDS DB Instance Made Public
elasticmedium
Cisco Network Interface Modifications
splunk_escu
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
splunk_escu
Detect attackers scanning for vulnerable JBoss servers
splunk_escu
Detect Exchange Web Shell
splunk_escu
Exchange PowerShell Abuse via SSRF
splunk_escu
Exploit Public Facing Application via Apache Commons Text
splunk_escu
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
splunk_escu
External Remote RDP Logon from Public IP
sigmamedium
External Remote SMB Logon from Public IP
sigmahigh
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
splunk_escu
Failed Logon From Public IP
sigmamedium
First Occurrence of Okta User Session Started via Proxy
elasticmedium
FortiGate - New VPN SSL Web Portal Added
sigmamedium
FortiGate - VPN SSL Settings Modified
sigmamedium
Fortinet Appliance Auth bypass
splunk_escu
Hunting for Log4Shell
splunk_escu
Insecure AWS EC2 VPC Security Group Ingress Rule Added
elasticmedium
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
splunk_escu
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
splunk_escu
Java Writing JSP File
splunk_escu
Kubernetes Exposed Service Created With Type NodePort
elasticmedium
Living Off The Land Detection
splunk_escu
Log4Shell CVE-2021-44228 Exploitation
splunk_escu
Log4Shell JNDI Payload Injection Attempt
splunk_escu
Log4Shell JNDI Payload Injection with Outbound Connection
splunk_escu
MS Exchange Mailbox Replication service writing Active Server Pages
splunk_escu
Ollama API Accessed from External Network
elasticmedium
OpenCanary - RDP New Connection Attempt
sigmahigh
OpenCanary - SSH Login Attempt
sigmahigh
OpenCanary - SSH New Connection Attempt
sigmahigh
OpenCanary - Telnet Login Attempt
sigmahigh
Outbound Network Connection from Java Using Default Ports
splunk_escu
PaperCut NG Remote Web Access Attempt
splunk_escu
PaperCut NG Suspicious Behavior Debug Log
splunk_escu
Potential macOS SSH Brute Force Detected
elasticmedium
ProxyShell ProxyNotShell Behavior Detected
splunk_escu
RDP (Remote Desktop Protocol) from the Internet
elasticmedium
Remote Access Tool - ScreenConnect Installation Execution
sigmamedium
Remote Access Tool - Team Viewer Session Started On Linux Host
sigmalow
Remote Access Tool - Team Viewer Session Started On MacOS Host
sigmalow
Remote Access Tool - Team Viewer Session Started On Windows Host
sigmalow
Remote SSH Login Enabled via systemsetup Command
elasticmedium
RPC (Remote Procedure Call) from the Internet
elastichigh
Running Chrome VPN Extensions via the Registry 2 VPN Extension
sigmahigh
Spring4Shell Payload URL Request
splunk_escu
Successful SSH Authentication from Unusual SSH Public Key
elasticlow
Successful SSH Authentication from Unusual User
elasticlow
Supernova Webshell
splunk_escu
Suspicious File Created by ArcSOC.exe
sigmahigh
Unusual Child Process of dns.exe
sigmahigh
Unusual File Deletion by Dns.exe
sigmahigh
Unusual File Modification by dns.exe
sigmahigh
Unusual SSHD Child Process
elasticlow
User Added to Remote Desktop Users Group
sigmahigh
Virtual Private Network Connection Attempt
elasticlow
VMWare Aria Operations Exploit Attempt
splunk_escu
VMware Server Side Template Injection Hunt
splunk_escu
VMware Workspace ONE Freemarker Server-side Template Injection
splunk_escu
VNC (Virtual Network Computing) from the Internet
elastichigh
Web JSP Request via URL
splunk_escu
Web or Application Server Spawning a Shell
splunk_escu
Web Spring Cloud Function FunctionRouter
splunk_escu
Web Spring4Shell HTTP Request Class Module
splunk_escu
Windows Exchange Autodiscover SSRF Abuse
splunk_escu
Windows MOVEit Transfer Writing ASPX
splunk_escu
Windows PaperCut NG Spawn Shell
splunk_escu
Windows RDPClient Connection Sequence Events
splunk_escu
Zoom Meeting with no Passcode
elasticmedium