External Remote Services T1133

Events covered

19 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 216 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (196 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Top indicator values (938 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Exclusions (145 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 20 rules

• External Remote RDP Logon from Public IP
• External Remote SMB Logon from Public IP
• Failed Logon From Public IP
• FortiGate - New VPN SSL Web Portal Added
• FortiGate - VPN SSL Settings Modified
• OpenCanary - RDP New Connection Attempt
• OpenCanary - SSH Login Attempt
• OpenCanary - SSH New Connection Attempt
• OpenCanary - Telnet Login Attempt
• Potential Exploitation of GoAnywhere MFT Vulnerability
• Remote Access Tool - ScreenConnect Installation Execution
• Remote Access Tool - Team Viewer Session Started On Linux Host
• Remote Access Tool - Team Viewer Session Started On MacOS Host
• Remote Access Tool - Team Viewer Session Started On Windows Host
• Running Chrome VPN Extensions via the Registry 2 VPN Extension
• Suspicious File Created by ArcSOC.exe
• Unusual Child Process of dns.exe
• Unusual File Deletion by Dns.exe
• Unusual File Modification by dns.exe
• User Added to Remote Desktop Users Group

Elastic 18 rules

• Accepted Default Telnet Port Connection
• AWS EC2 Network Access Control List Creation
• AWS EC2 Security Group Configuration Change
• AWS RDS DB Instance Made Public
• First Occurrence of Okta User Session Started via Proxy
• Insecure AWS EC2 VPC Security Group Ingress Rule Added
• Kubernetes Exposed Service Created With Type NodePort
• Ollama API Accessed from External Network
• Potential macOS SSH Brute Force Detected
• RDP (Remote Desktop Protocol) from the Internet
• Remote SSH Login Enabled via systemsetup Command
• RPC (Remote Procedure Call) from the Internet
• Successful SSH Authentication from Unusual SSH Public Key
• Successful SSH Authentication from Unusual User
• Unusual SSHD Child Process
• Virtual Private Network Connection Attempt
• VNC (Virtual Network Computing) from the Internet
• Zoom Meeting with no Passcode

Splunk 44 rules

• Cisco Network Interface Modifications
• Confluence Unauthenticated Remote Code Execution CVE-2022-26134
• Detect attackers scanning for vulnerable JBoss servers
• Detect Exchange Web Shell
• Disabled Pre-Authentication Accounts Discovery - PowerShell (PowerShell)
• Disabled Pre-Authentication Accounts Discovery - PowerShell (Sysmon)
• Disabled Pre-Authentication Accounts Discovery - PowerShell (Windows Event Log)
• Exchange PowerShell Abuse via SSRF
• Exploit Public Facing Application via Apache Commons Text
• Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
• F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
• Fortinet Appliance Auth bypass
• Hunting for Log4Shell
• Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
• Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
• Java Writing JSP File
• Living Off The Land Detection
• Log4Shell CVE-2021-44228 Exploitation
• Log4Shell JNDI Payload Injection Attempt
• Log4Shell JNDI Payload Injection with Outbound Connection
• MS Exchange Mailbox Replication service writing Active Server Pages
• Outbound Network Connection from Java Using Default Ports
• PaperCut NG Remote Web Access Attempt
• PaperCut NG Suspicious Behavior Debug Log
• ProxyShell ProxyNotShell Behavior Detected
• RDP Brute-force Detection (Windows Event Log)
• RDP Connection (Sysmon)
• RDP Connection (Windows Event Log)
• RDP Hijacking (Windows Event Log)
• RDP Logon_Logoff Event (Windows Event Log)
• Spring4Shell Payload URL Request
• Supernova Webshell
• Temporary ConnectWise xml File Activity (Windows Event Log)
• VMWare Aria Operations Exploit Attempt
• VMware Server Side Template Injection Hunt
• VMware Workspace ONE Freemarker Server-side Template Injection
• Web JSP Request via URL
• Web or Application Server Spawning a Shell
• Web Spring Cloud Function FunctionRouter
• Web Spring4Shell HTTP Request Class Module
• Windows Exchange Autodiscover SSRF Abuse
• Windows MOVEit Transfer Writing ASPX
• Windows PaperCut NG Spawn Shell
• Windows RDPClient Connection Sequence Events

Kusto 130 rules

• Apache - Apache 2.4.49 flaw CVE-2021-41773
• Apache - Command in URI
• Apache - Known malicious user agent
• Apache - Multiple client errors from single IP
• Apache - Multiple server errors from single IP
• Apache - Private IP in URL
• Apache - Put suspicious file
• Apache - Request from private IP
• Apache - Requests to rare files
• ApexOne - Commands in Url
• AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports
• Cisco SE - Malware outbreak
• Cisco SE - Multiple malware on host
• Cisco SE - Unexpected binary file
• CiscoISE - Command executed with the highest privileges from new IP
• CiscoISE - Command executed with the highest privileges by new user
• Claroty - Login to uncommon location
• Claroty - Multiple failed logins by user
• Claroty - Multiple failed logins to same destinations
• Claroty - New Asset
• Cloudflare - Bad client IP
• Cloudflare - Bad client IP
• Cloudflare - Client request from country in blocklist
• Cloudflare - Client request from country in blocklist
• Cloudflare - Empty user agent
• Cloudflare - Empty user agent
• Cloudflare - Multiple error requests from single source
• Cloudflare - Multiple error requests from single source
• Cloudflare - Multiple user agents for single source
• Cloudflare - Multiple user agents for single source
• Cloudflare - Unexpected client request
• Cloudflare - Unexpected client request
• Cloudflare - Unexpected URI
• Cloudflare - Unexpected URI
• Cloudflare - WAF Allowed threat
• Cloudflare - WAF Allowed threat
• Cloudflare - XSS probing pattern in request
• Cloudflare - XSS probing pattern in request
• Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
• Dataverse - Login by a sensitive privileged user
• Dataverse - Login from IP in the block list
• Dataverse - Login from IP not in the allow list
• Dataverse - New sign-in from an unauthorized domain
• Dataverse - New user agent type that was not used with Office 365
• Dataverse - TI map IP to DataverseActivity
• Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session)
• Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session)
• Detect known risky user agents (ASIM Web Session)
• Detect Local File Inclusion(LFI) in web requests (ASIM Web Session)
• Detect presence of uncommon user agents in web requests (ASIM Web Session)
• Detect threat information in web requests (ASIM Web Session)
• Detect URLs containing known malicious keywords or commands (ASIM Web Session)
• Detect web requests to potentially harmful files (ASIM Web Session)
• Fortiweb - WAF Allowed threat
• GCP Audit Logs - Open Firewall Rule Created or Modified
• GCP Security Command Center - Detect Firewall rules allowing unrestricted high-risk ports
• GSA - Detect Connections Outside Operational Hours
• GWorkspace - Alert events
• Identify instances where a single source is observed using multiple user agents (ASIM Web Session)
• Imperva - Abnormal protocol usage
• Imperva - Critical severity event not blocked
• Imperva - Forbidden HTTP request method in request
• Imperva - Malicious Client
• Imperva - Malicious user agent
• Imperva - Multiple user agents from same source
• Imperva - Possible command injection
• Imperva - Request from unexpected countries
• Imperva - Request from unexpected IP address to admin panel
• Imperva - Request to unexpected destination port
• Jamf Protect - Network Threats
• NGINX - Command in URI
• NGINX - Known malicious user agent
• NGINX - Multiple client errors from single IP address
• NGINX - Multiple server errors from single IP address
• NGINX - Multiple user agents for single source
• NGINX - Private IP address in URL
• NGINX - Put file and get file from same IP address
• Oracle - Command in URI
• Oracle - Malicious user agent
• Oracle - Multiple client errors from single IP
• Oracle - Multiple server errors from single IP
• Oracle - Multiple user agents for single source
• Oracle - Private IP in URL
• Oracle - Put file and get file from same IP address
• Oracle - Put suspicious file
• OracleDBAudit - Connection to database from external IP
• Palo Alto Prisma Cloud - High risk score alert
• Palo Alto Prisma Cloud - High severity alert opened for several days
• Palo Alto Prisma Cloud - Maximum risk score alert
• Palo Alto Prisma Cloud - Network ACL allow all outbound traffic
• Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration ports
• Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic
• PaloAlto - Dropping or denying session with traffic
• PaloAlto - File type changed
• PaloAlto - Forbidden countries
• PaloAlto - Inbound connection to high risk ports
• PaloAlto - MAC address conflict
• PaloAlto - Possible attack without response
• PaloAlto - Possible flooding
• PaloAlto - Put and post method request in high risk file type
• PaloAlto - User privileges was changed
• Radiflow - New Activity Detected
• SailPointIdentityNowAlertForTriggers
• SailPointIdentityNowEventType
• SailPointIdentityNowEventTypeTechnicalName
• SailPointIdentityNowFailedEvents
• SailPointIdentityNowFailedEventsBasedOnTime
• SailPointIdentityNowUserWithFailedEvent
• Semperis DSP Operations Critical Notifications
• SlackAudit - Empty User Agent
• SonicWall - Allowed SSH, Telnet, and RDP Connections
• Tomcat - Commands in URI
• Tomcat - Known malicious user agent
• Tomcat - Multiple client errors from single IP address
• Tomcat - Multiple empty requests from same IP
• Tomcat - Multiple server errors from single IP address
• Tomcat - Put file and get file from same IP address
• Tomcat - Request from localhost IP address
• Tomcat - Server errors after multiple requests from same IP
• Ubiquiti - RDP from external source
• Ubiquiti - SSH from external source
• Ubiquiti - Unknown MAC Joined AP
• Zscaler - Forbidden countries
• Zscaler - Shared ZPA session
• Zscaler - Unexpected event count of rejects by policy
• Zscaler - Unexpected update operation
• Zscaler - Unexpected ZPA session duration
• Zscaler - ZPA connections from new country
• Zscaler - ZPA connections from new IP
• Zscaler - ZPA connections outside operational hours

Panther 4 rules

• AWS RDS Instance Modified to be Publicly Accessible
• AWS VPC Default Network ACL Restricts All Traffic
• AWS VPC Default Security Group Restrictions
• Wiz Issue Followed By SSH to EC2 Instance