Description
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.(Citation: MacOS VNC software for Remote Desktop)
Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.
Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)
Adversaries may also establish persistence on network by configuring a Tor hidden service on a compromised system. Adversaries may utilize the tool ShadowLink to facilitate the installation and configuration of the Tor hidden service. Tor hidden service is then accessible via the Tor network because ShadowLink sets up a .onion address on the compromised system. ShadowLink may be used to forward any inbound connections to RDP, allowing the adversaries to have remote access.(Citation: The BadPilot campaign) Adversaries may get ShadowLink to persist on a system by masquerading it as an MS Defender application.(Citation: Russian threat actors dig in, prepare to seize on war fatigue)
Platforms
Mitigations (5)
Restrict Web-Based ContentM1021
Restrict all traffic to and from public Tor nodes. (Citation: Defending Against Malicious Cyber Activity Originating from Tor)
Network SegmentationM1030
Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.
Disable or Remove Feature or ProgramM1042
Disable or block remotely available services that may be unnecessary.
Limit Access to Resource Over NetworkM1035
Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.
Multi-factor AuthenticationM1032
Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of Multi-Factor Authentication Interception techniques for some two-factor authentication implementations.
Threat Groups (28)
| ID | Group | Context |
|---|---|---|
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial ac... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has gained access to compromised environments via remote access services such as the corporate virtual ... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) have used VPNs both for initial access to victim environments and for persistence within them foll... |
| G0026 | APT18 | [APT18](https://attack.mitre.org/groups/G0026) actors leverage legitimate credentials to log into external remote services.(Citation: RSA2017 Detect a... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the tar... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used VPNs to connect to victim environments and enable post-exploitation actions.(Citation: ... |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) has leveraged access to internet-facing remote services to compromise and retain access to victim ... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged legitimate remote management tools to maintain persistent access.(Citation: Cr... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) compromised an online billing/payment service using VPN access between a third-party service provider a... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has gained access to internet-facing systems and applications, including virtual private network (VPN... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) uses remote services such as VPN, Citrix, or OWA to persist in an environment.(Citation: FireEye APT34... |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environm... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has gained access through VPNs including with compromised accounts and stolen VPN certificates.(Cita... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has accessed victim networks by using stolen credentials to access the corporate VPN infrastruc... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used compromised identities to access networks via VPNs and Citrix.(Citation: NCSC APT29 July 2020)... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used RDP to establish persistence.(Citation: CISA AA20-301A Kimsuky) |
| G0053 | FIN5 | [FIN5](https://attack.mitre.org/groups/G0053) has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment.(Citation... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors look for and use VPN profiles during an operation to access the network using extern... |
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) has used external-facing SSH to achieve initial access to the IT environments of victim organizati... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has leveraged public facing VPN infrastructure to gain initial access to victim environments.(... |
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S0362 | Linux Rabbit | Malware | [Linux Rabbit](https://attack.mitre.org/software/S0362) attempts to gain access to the server via SSH.(Citation: Anomali Linux Rabbit 2018) |
| S1060 | Mafalda | Malware | [Mafalda](https://attack.mitre.org/software/S1060) can establish an SSH connection from a compromised host to a server.(Citation: SentinelLabs Metador... |
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) was executed through an unsecure kubelet that allowed anonymous access to the victim environment.... |
| S0599 | Kinsing | Malware | [Kinsing](https://attack.mitre.org/software/S0599) was executed in an Ubuntu container deployed via an open Docker daemon API.(Citation: Aqua Kinsing ... |
| S0600 | Doki | Malware | [Doki](https://attack.mitre.org/software/S0600) was executed through an open Docker daemon API port.(Citation: Intezer Doki July 20) |
References
- Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.
- Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021.
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
- Microsoft Threat Intelligence. (2023, December 7). Russian threat actors dig in, prepare to seize on war fatigue. Retrieved June 18, 2025.
- Microsoft Threat Intelligence. (2025, February 12). The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation. Retrieved June 18, 2025.
- Remillano II, A., et al. (2020, June 20). XORDDoS, Kaiji Variants Target Exposed Docker Servers. Retrieved April 5, 2021.
Frequently Asked Questions
What is T1133 (External Remote Services)?
T1133 is a MITRE ATT&CK technique named 'External Remote Services'. It belongs to the Persistence, Initial Access tactic(s). Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect t...
How can T1133 be detected?
Detection of T1133 (External Remote Services) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1133?
There are 5 documented mitigations for T1133. Key mitigations include: Restrict Web-Based Content, Network Segmentation, Disable or Remove Feature or Program, Limit Access to Resource Over Network, Multi-factor Authentication.
Which threat groups use T1133?
Known threat groups using T1133 include: TeamTNT, FIN13, Ember Bear, APT18, Sandworm Team, Volt Typhoon, Velvet Ant, Scattered Spider.