External Remote Services (T1133) Incident

by

SIEM Alert

Alert Source: Splunk SIEM Correlation Rule
Alert Time: 2023-10-28 03:15:47 UTC
Severity: High
Rule: “Multiple RDP Connections from Unusual External IP”
Alert ID: SIEM-CORR-8923

Alert Details:

SIEM Correlation Rule Triggered: T1133 - External Remote Services
Time Range: 03:00-03:15 UTC

Correlated Events:
1. VPN Authentication: User jsmith successfully authenticated via Pulse Secure VPN from IP 89.248.165[.]23 (Moscow, Russia)
2. RDP Connection: User jsmith established RDP session to SRV-FIN-02 from VPN IP
3. AD Group Changes: User jsmith added to "Remote Desktop Users" group 4 hours prior
4. Failed Logon Attempts: 12 failed attempts to jsmith account from same IP before success

Event Details:
- User: jsmith (John Smith, Accounting Dept)
- Source IP: 89.248.165[.]23 (Digital Energy LLC, Russia)
- VPN Client Version: Pulse Secure 9.1.12 (legitimate version)
- RDP Destination: SRV-FIN-02 (Windows Server 2019, Finance Application Server)
- Session Duration: 12 minutes (03:03-03:15 UTC)
- Activities Observed: PowerShell execution, network scanning commands

Threat Intelligence Context:
- IP 89.248.165[.]23 associated with APT29 (Cozy Bear) in past 90 days
- User jsmith normally logs in from New York area (US East Coast)
- No travel notifications for Russia

MITRE ATT&CK Mapping:

  • T1133: External Remote Services
  • T1078: Valid Accounts
  • T1021: Remote Services
  • T1087: Account Discovery

2. Investigation Process & Tools Used

StepActionTools UsedFindings & Actions
1. Alert ValidationVerify SIEM correlation accuracy, check raw logs.Splunk SIEMVPN Logs (Pulse Secure)Windows Event LogsCorrelation confirmed: All events legitimate, occurring within 15-minute window.
2. User VerificationContact user, check travel status, verify legitimacy.ServiceNowHR DatabaseUser ManagerUser jsmith confirmed sleeping at home (New York time 23:15). No travel to Russia.
3. Credential AnalysisCheck password last change, MFA status, account lockout.Active DirectoryAzure ADMFA Server (Duo)Password changed 2 weeks ago. MFA disabled for VPN (exception for legacy system).
4. Endpoint AnalysisExamine source endpoint (if available) and target server.EDR (CrowdStrike Falcon)Windows Event LogsSRV-FIN-02: PowerShell executed nltest /domain_trusts and net group "Domain Admins".
5. Network AnalysisCheck VPN logs, firewall flows, RDP session data.VPN ConcentratorPalo Alto FirewallNetFlowRDP session transferred 48MB data outbound (compressed RDP traffic). No lateral movement detected.
6. Threat HuntingSearch for similar patterns, check for persistence.Splunk Advanced SearchesEDR QueriesFound 3 other users with VPN logins from unusual locations in past 7 days (investigating).
7. ContainmentIsolate accounts, disable VPN access, block malicious IP.Active DirectoryVPN Management ConsoleFirewall1. Disabled jsmith AD account.
2. Revoked VPN certificate.
3. Blocked Russian IP at firewall.
8. ForensicsCapture memory, analyze RDP artifacts, check for backdoors.FTK ImagerVelociraptorRDP Cache AnalyzerFound RDP bitmap cache with screenshot of finance application. No malware on server.
9. RemediationReset credentials, remove unauthorized group memberships.AD Password ResetGroup PolicySecurity Hardening1. Password reset enforced.
2. Removed from “Remote Desktop Users”.
3. Enabled MFA for all VPN users.
10. MonitoringEnhance detection rules, implement behavioral baselines.Splunk Alert TuningUEBA (Exabeam)VPN AnalyticsCreated new rule: “VPN login + RDP within 5 minutes from new geolocation”.

3. Detailed Jira Comment

Jira Ticket: SOC-2023-0896
Summary: External Remote Services Compromise via VPN/RDP from Russia
Status: Resolved
Resolution: Malicious - Credential Compromise
Priority: P1 - High
Labels: T1133APT-suspectedcredential-theftRDP-abusefinance-server
Affected Systems: SRV-FIN-02, jsmith user account

Comment by [Analyst Name] – [Date/Time]:

INCIDENT ANALYSIS REPORT: EXTERNAL REMOTE SERVICES (T1133)

1. Executive Summary:
On 2023-10-28 at 03:15 UTC, SIEM correlation rules detected T1133 activity involving user jsmith successfully authenticating via VPN from Moscow, Russia (IP 89.248.165[.]23) and immediately establishing an RDP session to finance server SRV-FIN-02. The user was confirmed to be in New York at the time, indicating credential compromise. The attacker performed reconnaissance activities via PowerShell before the session was terminated. Immediate containment prevented further access, and no data exfiltration beyond RDP screen capture was confirmed.

2. Timeline:

Day -1 (2023-10-27):
19:00 UTC: jsmith legitimate VPN login from New York (normal work)
22:00 UTC: jsmith logs off VPN

Day 0 (2023-10-28):
02:45 UTC: First failed VPN attempt from Russian IP
02:46-02:58 UTC: 11 more failed attempts (password spraying)
03:00 UTC: Successful VPN authentication (credentials valid)
03:03 UTC: RDP session established to SRV-FIN-02
03:05 UTC: PowerShell execution begins (reconnaissance commands)
03:12 UTC: Attempt to access finance database (blocked by application)
03:15 UTC: Session disconnected (possibly due to network interruption)
03:15 UTC: SIEM correlation alert triggers
03:20 UTC: SOC initiates investigation
03:25 UTC: jsmith account disabled, VPN certificate revoked
03:30 UTC: Russian IP blocked at all network layers
04:00 UTC: Forensics on SRV-FIN-02 begins
05:30 UTC: Password reset enforced, MFA enabled for VPN

3. Technical Analysis:

  • Attack Chain Reconstruction:
    1. Credential Acquisition: Likely via phishing or credential stuffing (jsmith password reused elsewhere)
    2. VPN Access: Attacker used valid credentials to bypass VPN (MFA was disabled for legacy compatibility)
    3. Lateral Movement Planning: Added to “Remote Desktop Users” group (occurred 4 hours prior via compromised admin account)
    4. Reconnaissance: Once on SRV-FIN-02, performed Active Directory and network discovery
  • Commands Executed (via PowerShell):textnltest /domain_trusts /all_trusts net group “Domain Admins” /domain net localgroup administrators systeminfo | findstr /B /C:”OS Name” /C:”OS Version” netstat -ano | findstr :3389
  • Infrastructure Analysis:
    • Source IP: 89.248.165[.]23 – Associated with APT29 in threat intelligence feeds
    • VPN Client: Pulse Secure 9.1.12 (legitimate version, not tampered)
    • Authentication Method: Password-only (MFA exception for legacy system)
  • Data Access Attempts:
    • RDP bitmap cache contained screenshots of finance application (Accounts Payable module)
    • Attempted connection to SQL Server on port 1433 (blocked by host firewall)
    • No files copied or modified based on Windows file audit logs

4. Scope & Impact Assessment:

  • Compromised Assets:
    • User account: jsmith (Accounting Department)
    • Server: SRV-FIN-02 (Windows Server 2019)
    • Potential: Domain admin account (based on group membership changes)
  • Data Accessed:
    • Finance application screenshots via RDP cache
    • Active Directory structure information
    • Network topology information
  • Business Impact: Medium
    • Confidentiality: Medium (financial data visibility)
    • Integrity: Low (no modifications made)
    • Availability: Low (no service disruption)

5. Containment & Remediation Actions:

  • Immediate Containment (03:20-03:45 UTC):
    • Disabled jsmith AD account and all associated service accounts
    • Revoked VPN client certificate and session
    • Blocked IP 89.248.165[.]23 at firewall (Palo Alto), VPN concentrator, and WAF
    • Terminated all active RDP sessions on SRV-FIN-02
  • Forensic Collection (03:45-05:00 UTC):
    • Captured memory dump of SRV-FIN-02 using Velociraptor
    • Extracted RDP cache files for analysis
    • Collected PowerShell logs and Windows Event logs
    • Performed timeline analysis using SuperTimeline
  • Remediation (05:00-07:00 UTC):
    1. Credential Security:
      • Forced password reset for jsmith and all users in Accounting department
      • Enabled MFA for ALL VPN users (removed legacy exceptions)
      • Implemented 30-day password expiration policy for privileged accounts
    2. Access Control:
      • Removed jsmith from “Remote Desktop Users” group
      • Implemented JIT (Just-In-Time) access for RDP to critical servers
      • Configured Network Policy Server (NPS) to restrict RDP by time and user role
    3. System Hardening:
      • Disabled PowerShell v2 on all servers
      • Enabled PowerShell Constrained Language Mode on SRV-FIN-02
      • Configured Windows Defender Application Control on finance servers

6. Indicators of Compromise (IOCs):

TYPE         INDICATOR                           DESCRIPTION
IP           89.248.165[.]23                     Attacker IP (Russia)
User         jsmith                              Compromised account
Command      nltest /domain_trusts               Reconnaissance
Command      net group "Domain Admins"           Privilege discovery
Session      RDP to SRV-FIN-02                   Target system
Time Window  03:00-03:15 UTC                     Attack timeframe
VPN Client   9.1.12                              Pulse Secure version

ADDITIONAL IOCs FROM THREAT HUNTING:
- Registry Key: HKU\S-1-5-21-*\Software\Microsoft\Terminal Server Client\Default (RDP MRU)
- File: C:\Users\jsmith\AppData\Local\Microsoft\Terminal Server Client\Cache\*.bin
- Network: TCP/3389 from VPN pool to internal servers

7. Root Cause Analysis:

  • Primary Cause: Credential compromise likely due to password reuse across systems.
  • Contributing Factors:
    1. MFA not enabled for VPN (legacy exception)
    2. Excessive permissions (jsmith added to RDP users group unnecessarily)
    3. No geolocation-based VPN restrictions
    4. Delayed detection (12-minute dwell time)
  • Attack Attribution:
    • TTPs consistent with APT29 (Cozy Bear): Credential theft, RDP for lateral movement, reconnaissance focus
    • Russian IP address aligns with known APT29 infrastructure
    • However, could be opportunistic attack using stolen credentials

8. Recommendations & Lessons Learned:

  • Technical Controls:
    1. MFA Enforcement: Remove all MFA exceptions; implement conditional access policies
    2. VPN Hardening: Implement geolocation blocking for high-risk countries
    3. RDP Restrictions: Use Remote Desktop Gateway with pre-authentication
    4. Credential Protection: Implement Azure AD Password Protection with custom banned passwords
  • Process Improvements:
    1. Incident Response: Create playbook for “Compromised VPN Credentials”
    2. Privilege Management: Implement quarterly access reviews for RDP groups
    3. Threat Hunting: Weekly hunts for “VPN to RDP” patterns
  • Monitoring Enhancements:
    1. SIEM Rules: Add correlation for “VPN from new country + RDP within 5 minutes”
    2. UEBA: Baseline normal VPN/RDP patterns for each user
    3. EDR: Alert on reconnaissance commands (nltest, net group) from non-admin users

9. Testing & Validation:

  • Containment Verification: Confirmed jsmith account cannot authenticate via VPN or RDP
  • Remediation Testing: Tested MFA enforcement with test account
  • Monitoring Validation: Verified new SIEM rules fire with test scenarios

10. Conclusion:

This incident demonstrates the risk of external remote services (VPN/RDP) when combined with credential compromise and weak authentication controls. The attacker gained initial access via stolen credentials, leveraged excessive permissions, and performed reconnaissance. Thanks to rapid detection and containment, the impact was limited to information disclosure rather than data exfiltration or system compromise.

Closure Justification:

  • All compromised accounts secured and monitored
  • Technical vulnerabilities addressed (MFA enabled, RDP restricted)
  • IOCs distributed to all security tools
  • Enhanced monitoring in place for similar attacks
  • User re-educated on password security

Leave a Comment