T1133 · persistence, initial-access · 25 actors · 5 correlated reports

External Remote Services

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally. Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as a redundant or persistent access mechanism during an operation. Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Follow best practices for detecting adversary use of Valid Accounts for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours. When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.

Observed actors

GALLIUM
G0093Kimsuky
G0094Volt Typhoon
G1017APT41
G0096Dragonfly
G0035TeamTNT
G0139Sandworm Team
G0034APT18
G0026Scattered Spider
G1015Akira
G1024OilRig
G0049Ke3chang
G0004Leviathan
G0065FIN5
G0053APT29
G0016Chimera
G0114TEMP.Veles
G0088Ember Bear
G1003APT28
G0007GOLD SOUTHFIELD
G0115LAPSUS$
G1004Wizard Spider
G0102Play
G1040Threat Group-3390
G0027FIN13
G1016

Correlated CTI and IR reports

CTI Research: Sandworm / APT44
1200km CTI repository · explicit report mentionCTI Research: Sandworm / APT44
1200km CTI repository · explicit report mentionPioneer Kitten (Fox Kitten, Lemon Sandstorm, UNC757) – Actor Deep Research
Israel Threat Actors CTI · explicit report mentionCTI Research Sandworm APT44
1200km Medium · authored report mentionSingle Event Detection Rules in Cybersecurity
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research