Document toolboxDocument toolbox

Alert Pack: Remote Services (MITRE Att&ck Technique: T1021)

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
3 min read
[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Open alert pack ] [ 4 Use alert pack ]

Purpose

Remote Services are integral to the world of IT. Because of their importance, they need to have an extra layer of protection. This alert pack provides protection in the form of signature-based detections to help alert when an attacker is misusing remote services.

These alerts can help bolster your defenses around your organization's Remote Services. They span multiple technologies to help fit your needs and can provide that detection capability to help stop attackers.

Remote Services are used everywhere within organizations and are often used in crucial business processes. Attackers often used valid accounts to perform actions as the user and cause disruptions. That’s why these alerts are key. Help your company protect against the misuse of their asset and improve your security posture.

Security Operations application

SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.

SecOpsBroWinLsatUserEnumeration

SecOpsFWExternalSMBTrafficDetectedFirewall

SecOpsLinuxExtNetworkviaTelnet

SecOpsBroWinDceRpcSamrEnumeration

SecOpsFWRDPExternalAccess

SecOpsWinNetworkShareCreated

SecOpsBroSmbFirstSeenShare

SecOpsFWSMBInternalScanningDetected

SecOpsWinAdminShareSuspiciousUse

SecOpsBroWinDceRpceServiceCall

SecOpsLinuxIntNetworkviaTelnet

SecOpsVNCPortOpen

SecOpsFWSMBTrafficOutbound

 

 

 

What are Remote Services?

Adversaries may use Valid Accounts to log into service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged on-user. In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid dmain, credentials, they could login to many different machines using remote access protocols such as Secure Shell (SSH) or Remote Desktop Protocol (RDP).

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.