Skip to content

DET0354 Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers

Item Value
ID DET0354
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1133 (External Remote Services)

Analytics

Windows

AN1004

Unusual or unauthorized external remote access attempts (e.g., RDP, VPN, Citrix) → repeated failed logins followed by a successful session from uncommon geolocations or outside business hours → subsequent internal lateral movement or data exfiltration activities.

Log Sources
Data Component Name Channel
User Account Authentication (DC0002) WinEventLog:Security EventCode=4776, 4625
Application Log Content (DC0038) WinEventLog:Application VPN, Citrix, or remote access gateway logs showing external IP addresses
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Mutable Elements
Field Description
BusinessHours Normal business hours for logon activity.
KnownRemoteIPs List of approved external IPs or VPN endpoints.
FailedLogonThreshold Number of failed logons before raising suspicion (e.g., >5).
GeoIPWhitelist Geographic regions allowed for remote access.
TimeWindow Time window to correlate failed attempts and success (e.g., 15m).

Linux

AN1005

Repeated SSH, VPN, or RDP gateway authentication attempts from external IPs → subsequent successful logon → remote shell or lateral movement activity (e.g., scp/sftp).

Log Sources
Data Component Name Channel
Logon Session Metadata (DC0088) auditd:SYSCALL ssh logins or execve of remote commands
Application Log Content (DC0038) NSM:Connections Failed password or accepted password for SSH users
Network Connection Creation (DC0082) NSM:Flow connection: Inbound connections to SSH or VPN ports
Mutable Elements
Field Description
KnownSSHClients Legitimate IPs or client fingerprints for SSH/VPN.
FailedLogonThreshold Number of failed SSH logins to trigger alert.
TimeWindow Correlation window for failed attempts and success.

macOS

AN1006

Unexpected inbound or outbound VNC/SSH/Screen Sharing connections from external sources → repeated failed logins followed by success → remote interactive sessions or abnormal file transfers.

Log Sources
Data Component Name Channel
Logon Session Metadata (DC0088) macos:unifiedlog Remote login (ssh) or screen sharing authentication attempts
Network Connection Creation (DC0082) macos:unifiedlog Inbound connections to VNC/SSH ports
Network Traffic Flow (DC0078) PF:Logs External traffic to remote access services
Mutable Elements
Field Description
KnownVNCServers List of approved VNC/SSH sources.
TimeWindow Time correlation between failed attempts and success.

Containers

AN1007

Connections to exposed container services (e.g., Docker API, Kubernetes API server) from unauthorized external IPs → abnormal container creation/start → lateral activity within cluster nodes.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) ApplicationLog:API Docker/Kubernetes API access from external sources
Logon Session Metadata (DC0088) kubernetes:audit Unauthorized container creation or kubelet exec logs
Network Connection Creation (DC0082) NSM:Flow External access to container ports (2375, 6443)
Mutable Elements
Field Description
AllowedCIDRs Approved external IP ranges for container APIs.
TimeWindow Correlation window for API calls and container starts.