Technique on mitre.org

T1133: External Remote Services

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.

Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

yandex_cloud: PT-CR-1259: Yandex_Cloud_Kubernetes_External_Address_Connection: A connection to a Kubernetes cluster from an external address is detected yandex_cloud: PT-CR-1264: Yandex_Cloud_Public_Address_Without_DDoS_Protection_Creation: A public IP address is created without DDoS protection remote_work: PT-CR-1056: VPN_MultiUser_IP: The same IP address is used in different VPN sessions remote_work: PT-CR-1048: RDG_Abnormal_Access: Suspicious RDG connection. Authentication data differs from the collected profile. remote_work: PT-CR-1055: VPN_Abnormal_Access: Suspicious VPN connection. Connection data differs from the previously collected profile. remote_work: PT-CR-427: Connect_To_Significant_Hosts_From_VPN: Connection to a host in a critical network segment from an address that is in the corporate VPN address pool remote_work: PT-CR-1058: Remote_Login_From_Not_Allowed_Country: Connection via VPN or RDG from an IP address that does not belong to allowed countries address pool remote_work: PT-CR-1036: Mail_Abnormal_Access: Suspicious logon to an email account from the new mobile device. Authentication data differ from the collected profile. remote_work: PT-CR-436: Remote_Session_Changed_Address_CheckPoint: The IP address of a user's VPN connection in CheckPoint was changed remote_work: PT-CR-2653: Duplicate_Remote_Session: Duplicate VPN session remote_work: PT-CR-1937: SMB_RPC_Internet_Connection: Network interaction with an internet source via SMB or RPC that can be used by attackers to get initial access network_devices_abnormal_activity: PT-CR-472: External_VPN_Service_Usage: A connection to an external VPN service is detected profiling: PT-CR-1783: Owa_Abnormal_Access: Suspicious logon to Outlook Web App. Authentication data differ from the collected profile. profiling: PT-CR-1787: MFA_Abnormal_Access: Suspicious authentication in Multifactor. Authentication data differ from the collected profile.

Detection

IDDS0029Data source and componentNetwork Traffic: Network Connection CreationDescription

Monitor for newly constructed network connections that may use Valid Accounts to access and/or persist within a network using External Remote Services. Use of External Remote Services may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using External Remote Services.

IDDS0028Data source and componentLogon Session: Logon Session MetadataDescription

Follow best practices for detecting adversary use of Valid Accounts for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

IDDS0015Data source and componentApplication Log: Application Log ContentDescription

When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Mitigation

IDM1030NameNetwork SegmentationDescription

Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.

IDM1042NameDisable or Remove Feature or ProgramDescription

Disable or block remotely available services that may be unnecessary.

IDM1035NameLimit Access to Resource Over NetworkDescription

Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.

IDM1032NameMulti-factor AuthenticationDescription

Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of Multi-Factor Authentication Interception techniques for some two-factor authentication implementations.