Common Information
Type Value
Value
External Remote Services - T1133
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally. Adversaries may use remote services to access and persist within a network. (Citation: Volexity Virtual Private Keylogging) Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as part of Redundant Access during an operation. Detection: Follow best practices for detecting adversary use of Valid Accounts for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours. Platforms: Windows Data Sources: Authentication logs Permissions Required: User Contributors: Daniel Oakley, Travis Smith, Tripwire
Details Published Attributes CTI Title
Details Website 2025-02-11 0 Threat Landscape Report: Uncovering Critical Cyber Threats to Manufacturing Sector - ReliaQuest
Details Website 2025-02-04 89 Abyss Locker Ransomware: Attack Flow & Defense Strategies | Sygnia
Details Website 2025-01-28 0 CrowdStrike Falcon Earns Perfect Score in SE Labs’ Ransomware Evaluation
Details Website 2025-01-22 40 Dark Web Profile: OilRig (APT34) - SOCRadar® Cyber Intelligence Inc.
Details Website 2025-01-16 345 The Feed 2025–01–16
Details Website 2025-01-10 30 Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls ? Arctic Wolf
Details Website 2025-01-10 30 Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls - Arctic Wolf
Details Website 2024-12-12 7 The Bite from Inside: The Sophos Active Adversary Report
Details Website 2024-12-10 0 Holiday Season Cyber Threats (Part 2): Ransomware, Gift Cards, and…
Details Website 2024-12-03 10 Gafgyt Malware Targeting Docker Remote API Servers
Details Website 2024-12-02 67 BianLian's Shape-Shifting Tactics: From Encryption to Pure Extortion
Details Website 2024-11-26 23 Top Cyber Attacker Techniques, August–October 2024
Details Website 2024-11-26 23 Top Cyber Attacker Techniques, August–October 2024 - ReliaQuest
Details Website 2024-11-25 4 CISA’s chemical SSGs focus on strengthening cyber defenses, protecting from cyber threats | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Details Website 2024-11-19 5 Latest Report Findings: Retail Trade Faces 111% Jump in Ransomware - ReliaQuest
Details Website 2024-11-12 5 Report Shows Ransomware Has Grown 41% for Construction Industry - ReliaQuest
Details Website 2024-11-09 19 TRACKING RANSOMWARE : OCTOBER 2024 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Details Website 2024-11-06 0 Attackers Breach IT-Based Networks Before Jumping to ICS/OT Systems | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Details Website 2024-11-04 27 Jumpy Pisces Threat Intel
Details Website 2024-11-04 57 Threat Intelligence Report October 29 - November 4 2024 | Red Piranha
Details Website 2024-10-24 79 Arctic Wolf Labs Observes Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN - Arctic Wolf
Details Website 2024-10-22 13 Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach
Details Website 2024-10-21 21 Attackers Target Exposed Docker Remote API Servers With perfctl Malware
Details Website 2024-10-18 27 Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A
Details Website 2024-10-16 108 Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations | CISA