Common Information
| Type | Value |
|---|---|
| Value |
External Remote Services - T1133 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally. Adversaries may use remote services to access and persist within a network. (Citation: Volexity Virtual Private Keylogging) Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as part of Redundant Access during an operation. Detection: Follow best practices for detecting adversary use of Valid Accounts for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours. Platforms: Windows Data Sources: Authentication logs Permissions Required: User Contributors: Daniel Oakley, Travis Smith, Tripwire |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2021-06-22 | 7 | How Falcon Complete Disrupts eCrime Operators (WIZARD SPIDER) | ||
| Details | Website | 2021-06-15 | 53 | Handy guide to a new Fivehands ransomware variant | ||
| Details | Website | 2021-05-14 | 58 | DarkSide Ransomware Victims Sold Short | McAfee Blog | ||
| Details | Website | 2021-05-11 | 11 | DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks | CISA | ||
| Details | Website | 2021-05-10 | 95 | — | ||
| Details | Website | 2021-04-22 | 33 | CISA Identifies SUPERNOVA Malware During Incident Response | CISA | ||
| Details | Website | 2021-04-21 | 36 | Monitoring Pulse Connect Secure With Splunk (CISA Emergency Directive 21-03) | ||
| Details | Website | 2021-04-20 | 102 | Authentication Bypass Techniques and Pulse Secure Zero-Day | ||
| Details | Website | 2021-03-30 | 57 | APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign | ||
| Details | Website | 2021-02-25 | 190 | So Unchill: Melting UNC2198 ICEDID to Ransomware Operations | Mandiant | ||
| Details | Website | 2021-01-12 | 216 | Abusing cloud services to fly under the radar | ||
| Details | Website | 2021-01-12 | 215 | Abusing cloud services to fly under the radar | ||
| Details | Website | 2020-12-17 | 91 | Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations | CISA | ||
| Details | Website | 2020-11-02 | 39 | Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945 | Mandiant | ||
| Details | Website | 2020-10-12 | 7 | KELA’s 100 Over 100: September 2020 in Network Access Sales - Kela | ||
| Details | Website | 2020-09-23 | 26 | Your best defense against ransomware: Find the early warning signs - Help Net Security | ||
| Details | Website | 2020-08-05 | 21 | — | ||
| Details | Website | 2020-08-04 | 15 | — | ||
| Details | Website | 2020-07-22 | 51 | Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW) - SentinelLabs | ||
| Details | Website | 2020-03-25 | 78 | APT41 Initiates Intrusion Campaign Using Multiple Exploits | ||
| Details | Website | 2019-12-17 | 11 | It’s time to disconnect RDP from the internet | WeLiveSecurity | ||
| Details | Website | 2010-09-23 | 16 | Attacking MSSQL Servers, Pt. II | Huntress |