Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1004: Analytic 1004

Unusual or unauthorized external remote access attempts (e.g., RDP, VPN, Citrix) → repeated failed logins followed by a successful session from uncommon geolocations or outside business hours → subsequent internal lateral movement or data exfiltration activities.

EnterpriseAN1004AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because external remote access is often the front door to business systems. The described pattern—multiple failed logins, then a successful session from an unusual location or outside business hours, followed by internal movement or possible data exfiltration—should prompt leaders to validate whether remote access monitoring can connect authentication events to downstream activity. For executives, the value is not just detecting bad passwords; it is proving the organization can recognize suspicious remote entry before it becomes an incident affecting operations or data.

Executive priority

Prioritize this as a resilience and incident-readiness check for Windows environments where remote access services such as RDP, VPN, or Citrix are used. Leaders should ask whether security teams can correlate remote authentication, geolocation or time-of-day context, and post-login internal activity. This also supports audit and compliance evidence around access monitoring, investigation workflow, and response readiness. Because ATT&CK provides no formal detection logic for this analytic, local validation is required before treating it as covered.

Technical view

SOC and detection teams should validate whether logs can show repeated failed external remote access attempts, a subsequent successful session, source location or time anomalies, and follow-on internal activity such as lateral movement or data movement indicators. The supplied platform is Windows, so Windows authentication and session telemetry should be reviewed alongside remote access infrastructure logs where available. Since tactics and relationships are not specified, this should be treated as a behavioral correlation analytic rather than a single-event alert.

Likely telemetry

  • Windows authentication success and failure events
  • Remote access logs for RDP, VPN, or Citrix where deployed
  • Session start and source IP metadata
  • Geolocation or network-origin enrichment for external access
  • Business-hours or user baseline context

Detection direction

  • Validate correlation from repeated failed logins to a later successful session by the same account or source context.
  • Tune for uncommon geolocations, outside-hours activity, and deviations from normal user access patterns.
  • Correlate successful external access with subsequent internal lateral movement or data movement signals instead of alerting only on failed logins.
  • Review false positives from travel, remote work, helpdesk activity, VPN concentrator behavior, and shared egress locations.
  • Identify blind spots where VPN, Citrix, or RDP logs are not centralized or cannot be joined to Windows authentication telemetry.

Mitigation priorities

  • Ensure remote access authentication and session logs are retained and available to the SOC.
  • Strengthen identity controls for external remote access, especially for high-risk and privileged accounts.
  • Define expected access patterns such as approved geographies, hours, and remote access methods where operationally feasible.
  • Prepare incident response procedures for suspicious remote access that include account containment, session review, and downstream activity scoping.
  • Use the analytic as a control-validation exercise rather than assuming coverage from tool deployment alone.
Analyst notes and limits

The object is a MITRE ATT&CK detection analytic, AN1004, for Windows. It describes suspicious external remote access behavior involving failed logins, later success, unusual location or timing, and possible follow-on lateral movement or data exfiltration activity. No ATT&CK relationships, tactics, labels, aliases, or official detection logic were supplied, so the take focuses on validation and telemetry requirements rather than specific rule content.

Official detection content was not provided, and no relationship context was supplied. The analytic mentions examples such as RDP, VPN, and Citrix, but local applicability depends on which remote access technologies and logs exist in the environment. Detection quality will depend on telemetry retention, identity context, source enrichment, and the ability to correlate authentication with post-login activity.

Official MITRE ATT&CK definition

Analytic 1004

Unusual or unauthorized external remote access attempts (e.g., RDP, VPN, Citrix) → repeated failed logins followed by a successful session from uncommon geolocations or outside business hours → subsequent internal lateral movement or data exfiltration activities.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
824740ebfd81e996...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 824740ebfd81…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use