title: External Remote Services (T1133)
id: df00tech-t1133
status: experimental
description: "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Adversaries typically obtain valid credentials first via phishing, credential stuffing, or prior compromise, then authenticate to these services from external infrastructure. This technique covers VPN gateways (GlobalProtect, AnyConnect, Pulse Secure, SoftEther), Remote Desktop Protocol, Windows Remote Management, Citrix, VNC, SSH, and exposed container APIs (Docker daemon on TCP 2375/2376, Kubernetes API server on 6443, kubelet on 10250). Threat groups including LAPSUS$, Volt Typhoon, Ember Bear, OilRig, GALLIUM, Scattered Spider, APT41, and Sandworm Team have been observed abusing legitimate remote access mechanisms for initial access and persistent footholds. In containerized environments, adversaries may target exposed Docker APIs or Kubernetes management interfaces that accept anonymous or unauthenticated connections. Adversaries may also establish persistence through Tor hidden services using tools like ShadowLink, which may masquerade as legitimate Windows Defender components to forward inbound RDP connections over the Tor network."
references:
  - https://attack.mitre.org/techniques/T1133/
  - https://df00tech.com/detections/T1133
author: df00tech
date: 2026/04/19
tags:
  - attack.t1133
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate remote workers connecting to corporate VPN or Citrix from home or hotel networks — the external IP is expected and authorized
  - IT administrators using RDP or WinRM from authorized jump hosts or bastion servers with external-routable IPs
  - Third-party vendors and contractors with documented remote access agreements connecting from their own infrastructure
  - "Cloud-hosted management planes (Azure DevOps agents, AWS Systems Manager, etc.) whose gateway IPs appear external"
  - Employees traveling internationally whose access from a foreign country IP triggers the detection despite valid authorization
level: high