Applied Cybernetics Group
T1133 — External Remote Services
- Technique
T1133- Tactics
- Persistence, Initial Access
- MISP citations
- 0
- KEV CVEs mapped
- 25
- Community rules
- 20
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1133
MITRE description
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop) Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation. Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware) Adversaries may also establish persistence on network by configuring a Tor hidden service on a compromised system. Adversaries may utilize the tool `ShadowLink` to facilitate the installation and configuration of the Tor hidden service. Tor hidden service is then accessible via the Tor network because `ShadowLink` sets up a .onion address on the compromised system. `ShadowLink` may be used to forward any inbound connections to RDP, allowing the adversaries to have remote access.(Citation: The BadPilot campaign) Adversaries may get `ShadowLink` to persist on a system by masquerading it as an MS Defender application.(Citation: Russian threat actors dig in, prepare to seize on war fatigue)
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
CVE-2025-32756CVE-2024-45195CVE-2024-11120CVE-2023-48365CVE-2023-39780CVE-2023-27532CVE-2023-20269CVE-2022-20699CVE-2021-26857CVE-2021-26855CVE-2021-22986CVE-2021-1498CVE-2021-1497CVE-2020-8515CVE-2020-5902CVE-2020-25506CVE-2020-1472CVE-2019-5591CVE-2019-3396CVE-2019-19781CVE-2019-11510CVE-2019-0708CVE-2018-4939CVE-2014-7169CVE-2014-6271
Detection coverage
SigmaHQ community rules
- Potential Exploitation of GoAnywhere MFT Vulnerability (emerging-threats)
- OpenCanary - RDP New Connection Attempt (core)
- OpenCanary - SSH Login Attempt (core)
- OpenCanary - SSH New Connection Attempt (core)
- OpenCanary - Telnet Login Attempt (core)
- Remote Access Tool - Team Viewer Session Started On Linux Host (core)
- Remote Access Tool - Team Viewer Session Started On MacOS Host (core)
- FortiGate - New VPN SSL Web Portal Added (core)
- FortiGate - VPN SSL Settings Modified (core)
- External Remote RDP Logon from Public IP (core)
- External Remote SMB Logon from Public IP (core)
- Failed Logon From Public IP (core)
- Unusual File Modification by dns.exe (core)
- Unusual File Deletion by Dns.exe (core)
- Suspicious File Created by ArcSOC.exe (core)
- Unusual Child Process of dns.exe (core)
- Remote Access Tool - ScreenConnect Installation Execution (core)
- Remote Access Tool - Team Viewer Session Started On Windows Host (core)
- User Added to Remote Desktop Users Group (core)
- Running Chrome VPN Extensions via the Registry 2 VPN Extension (core)