Docs

interactive_login_itar

Suggest Edits

Explanation

The NDM analyzes network traffic to detect interactive login connections to SSH or RDP from IP addresses originating in countries listed under US Code 22 CFR § 126.1 “Prohibited exports, imports, and sales to or from certain countries.” These sessions are identified based on sustained communication with an interactive login service across multiple flows.

What to Look For

Depending on your organization's international footprint, interactive login sessions from countries on this list may be unexpected, and may represent suspicious or malicious activity. Examine logs on the endpoint to determine whether unauthorized access has occurred. Consider limiting Internet access to remote login services.

Related MITRE ATT&CK Categories

Remote Services, Technique T1021 - Enterprise

Updated 29 days ago