MITRE ATT&CK Technique
Description
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop) Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation. Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware) Adversaries may also establish persistence on network by configuring a Tor hidden service on a compromised system. Adversaries may utilize the tool `ShadowLink` to facilitate the installation and configuration of the Tor hidden service. Tor hidden service is then accessible via the Tor network because `ShadowLink` sets up a .onion address on the compromised system. `ShadowLink` may be used to forward any inbound connections to RDP, allowing the adversaries to have remote access.(Citation: The BadPilot campaign) Adversaries may get `ShadowLink` to persist on a system by masquerading it as an MS Defender application.(Citation: Russian threat actors dig in, prepare to seize on war fatigue)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:31:44.421Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may leverage external-facing remote services to '
'initially access and/or persist within a network. Remote '
'services such as VPNs, Citrix, and other access mechanisms '
'allow users to connect to internal enterprise network '
'resources from external locations. There are often remote '
'service gateways that manage connections and credential '
'authentication for these services. Services such as [Windows '
'Remote '
'Management](https://attack.mitre.org/techniques/T1021/006) '
'and [VNC](https://attack.mitre.org/techniques/T1021/005) can '
'also be used externally.(Citation: MacOS VNC software for '
'Remote Desktop)\n'
'\n'
'Access to [Valid '
'Accounts](https://attack.mitre.org/techniques/T1078) to use '
'the service is often a requirement, which could be obtained '
'through credential pharming or by obtaining the credentials '
'from users after compromising the enterprise '
'network.(Citation: Volexity Virtual Private Keylogging) '
'Access to remote services may be used as a redundant or '
'persistent access mechanism during an operation.\n'
'\n'
'Access may also be gained through an exposed service that '
'doesn’t require authentication. In containerized '
'environments, this may include an exposed Docker API, '
'Kubernetes API server, kubelet, or web application such as '
'the Kubernetes dashboard.(Citation: Trend Micro Exposed '
'Docker Server)(Citation: Unit 42 Hildegard Malware)\n'
'\n'
'Adversaries may also establish persistence on network by '
'configuring a Tor hidden service on a compromised system. '
'Adversaries may utilize the tool `ShadowLink` to facilitate '
'the installation and configuration of the Tor hidden service. '
'Tor hidden service is then accessible via the Tor network '
'because `ShadowLink` sets up a .onion address on the '
'compromised system. `ShadowLink` may be used to forward any '
'inbound connections to RDP, allowing the adversaries to have '
'remote access.(Citation: The BadPilot campaign) Adversaries '
'may get `ShadowLink` to persist on a system by masquerading '
'it as an MS Defender application.(Citation: Russian threat '
'actors dig in, prepare to seize on war fatigue)',
'external_references': [{'external_id': 'T1133',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1133'},
{'description': 'Adair, S. (2015, October 7). Virtual '
'Private Keylogging: Cisco Web VPNs '
'Leveraged for Access and '
'Persistence. Retrieved March 20, '
'2017.',
'source_name': 'Volexity Virtual Private Keylogging',
'url': 'https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/'},
{'description': 'Apple Support. (n.d.). Set up a '
'computer running VNC software for '
'Remote Desktop. Retrieved August 18, '
'2021.',
'source_name': 'MacOS VNC software for Remote '
'Desktop',
'url': 'https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac'},
{'description': 'Chen, J. et al. (2021, February 3). '
'Hildegard: New TeamTNT Cryptojacking '
'Malware Targeting Kubernetes. '
'Retrieved April 5, 2021.',
'source_name': 'Unit 42 Hildegard Malware',
'url': 'https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/'},
{'description': 'Microsoft Threat Intelligence. '
'(2023, December 7). Russian threat '
'actors dig in, prepare to seize on '
'war fatigue. Retrieved June 18, '
'2025.',
'source_name': 'Russian threat actors dig in, '
'prepare to seize on war fatigue',
'url': 'https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue'},
{'description': 'Microsoft Threat Intelligence. '
'(2025, February 12). The BadPilot '
'campaign: Seashell Blizzard subgroup '
'conducts multiyear global access '
'operation. Retrieved June 18, 2025.',
'source_name': 'The BadPilot campaign',
'url': 'https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology'},
{'description': 'Remillano II, A., et al. (2020, June '
'20). XORDDoS, Kaiji Variants Target '
'Exposed Docker Servers. Retrieved '
'April 5, 2021.',
'source_name': 'Trend Micro Exposed Docker Server',
'url': 'https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html'}],
'id': 'attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'initial-access'}],
'modified': '2025-10-24T17:48:24.982Z',
'name': 'External Remote Services',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['ExtraHop',
'David Fiser, @anu4is, Trend Micro',
'Alfredo Oliveira, Trend Micro',
'Idan Frimark, Cisco',
'Rory McCune, Aqua Security',
'Yuval Avrahami, Palo Alto Networks',
'Jay Chen, Palo Alto Networks',
'Brad Geesaman, @bradgeesaman',
'Magno Logan, @magnologan, Trend Micro',
'Ariel Shuper, Cisco',
'Yossi Weizman, Azure Defender Research Team',
'Vishwas Manral, McAfee',
'Daniel Oakley',
'Travis Smith, Tripwire',
'David Tayouri',
'Liran Ravich, CardinalOps'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Containers', 'Linux', 'macOS', 'Windows'],
'x_mitre_version': '2.5'}