Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Persistence/ T1133

T1133External Remote Services

T1133 — External Remote Services is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 61 detection use cases covering it and 16 threat-intel articles citing it.

PersistenceInitial Access
View on the matrix → Filter Detection Library MITRE official spec ↗
61Use cases
16Articles
0Sub-techniques
2Tactics

Use cases covering this technique (61)

[WEEKLY] Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) Internal exploit · alerting DSPDD [WEEKLY] Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request Internal actions · alerting DSPDD [WEEKLY] Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution Internal exploit · alerting DSΣPDD [WEEKLY] Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write Internal exploit · alerting DSPDD Detect Exchange Web Shell ESCU actions · alerting P Exchange PowerShell Abuse via SSRF ESCU actions · alerting P Java Writing JSP File ESCU actions · alerting P Living Off The Land Detection ESCU actions · alerting P Log4Shell CVE-2021-44228 Exploitation ESCU actions · alerting P MS Exchange Mailbox Replication service writing Active Server Pages ESCU actions · alerting P Outbound Network Connection from Java Using Default Ports ESCU actions · alerting P PaperCut NG Suspicious Behavior Debug Log ESCU actions · hunting P Web or Application Server Spawning a Shell ESCU actions · alerting P Windows MOVEit Transfer Writing ASPX ESCU actions · alerting P Windows PaperCut NG Spawn Shell ESCU actions · alerting P Windows RDPClient Connection Sequence Events ESCU actions · hunting P Cisco Network Interface Modifications ESCU actions · hunting P F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 ESCU actions · alerting P Confluence Unauthenticated Remote Code Execution CVE-2022-26134 ESCU actions · alerting P Detect attackers scanning for vulnerable JBoss servers ESCU actions · alerting P Exploit Public Facing Application via Apache Commons Text ESCU actions · hunting P Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 ESCU actions · alerting P Fortinet Appliance Auth bypass ESCU actions · alerting P Hunting for Log4Shell ESCU actions · hunting P Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 ESCU actions · alerting P Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 ESCU actions · alerting P Log4Shell JNDI Payload Injection Attempt ESCU actions · hunting P Log4Shell JNDI Payload Injection with Outbound Connection ESCU actions · hunting P PaperCut NG Remote Web Access Attempt ESCU actions · alerting P ProxyShell ProxyNotShell Behavior Detected ESCU actions · alerting P Spring4Shell Payload URL Request ESCU actions · alerting P Supernova Webshell ESCU actions · alerting P VMWare Aria Operations Exploit Attempt ESCU actions · alerting P VMware Server Side Template Injection Hunt ESCU actions · hunting P VMware Workspace ONE Freemarker Server-side Template Injection ESCU actions · hunting P Web JSP Request via URL ESCU actions · alerting P Web Spring4Shell HTTP Request Class Module ESCU actions · alerting P Web Spring Cloud Function FunctionRouter ESCU actions · alerting P Windows Exchange Autodiscover SSRF Abuse ESCU actions · alerting P Linux Java Spawning Shell ESCU actions · alerting P Windows Java Spawning Shells ESCU actions · alerting P [LLM] Internet-facing web service spawning interactive SSH into management subnet Bespoke delivery · alerting DSΣPDDCS [LLM] Ivanti Sentry instances vulnerable to CVE-2026-10520 / CVE-2026-10523 Bespoke recon · alerting DSP [LLM] External / non-internal HTTP access to Ivanti Sentry /mics admin portal Bespoke delivery · hunting DSΣPDD [LLM] Unauthenticated POST to /mcp endpoint on TCP 8080 (CVE-2026-48039) Bespoke delivery · alerting DSΣPDDCS [LLM] meta-ads-mcp Streamable HTTP listener bound to non-loopback interface Bespoke weapon · alerting DSΣPDDCS [LLM] First successful FortiGate admin/SSL-VPN login from never-seen ASN after failure burst Bespoke exploit · hunting DSPDD [LLM] Check Point Remote Access VPN inbound auth from CVE-2026-50751 actor VPS IPs Bespoke exploit · hunting DSΣPDDCSCW [LLM] pfSense / firewall config change enabling Web SSL VPN after admin login Bespoke install · hunting SPDD [LLM] Inbound TCP connection to Vitest UI port 51204 from non-loopback source Bespoke delivery · hunting DSΣPDDCSCW [LLM] PraisonAI A2A example server started with vulnerable 0.0.0.0 bind and no auth_token Bespoke install · hunting DSΣPDDCS [LLM] PraisonAI `deploy --type api` command execution — vulnerable server provisioned Bespoke install · hunting DSΣPDDCS [LLM] Public inbound to PraisonAI Flask listener on TCP/8005 (default port, 0.0.0.0 bind) Bespoke delivery · alerting DSPDDCSCW [LLM] CVE-2026-46614: Unauthorized /fission-function/ invocation on Fission router public listener (port 8888) Bespoke exploit · alerting SΣPDD [LLM] Coder CVE-2026-46354 - Burst of azure-instance-identity POSTs (vmId enumeration / forged PKCS#7) Bespoke exploit · alerting SPDD [LLM] Mass POSTs to Craft CMS Formie submission endpoint (CVE-2026-45697 SSTI exploitation scan) Bespoke delivery · alerting SPDD [LLM] Cisco Secure FMC anomalous outbound HTTP PUT (Interlock CVE-2026-20131 callback) Bespoke c2 · hunting SP [LLM] Inbound exploit attempt to Cisco Catalyst SD-WAN Manager from known UAT-8616 / Cluster IPs Bespoke exploit · hunting DSΣPDDCS [LLM] Astro SSRF (CVE-2026-25545) — Node.js egress fetch for /404.html or /500.html with UA 'node' Bespoke exploit · alerting DSΣPDD [LLM] Astro SSRF (CVE-2026-25545) — inbound Host header mismatch with 4xx/5xx response (trigger) Bespoke delivery · hunting SP [LLM] Sha1-Hulud npm Worm — Self-Hosted GitHub Actions Runner Registration with Name 'SHA1HULUD' Bespoke install · alerting DSΣPDD

Articles citing this technique (16)

crit China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade art-22
high CISA orders feds to patch actively exploited Ivanti flaw by Sunday art-34
crit [GHSA / CRITICAL] CVE-2026-48039: Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token art-47
high AI Broke Vulnerability Management. That's Why CISOs Are Moving Budget to BAS. art-51
crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order art-101
crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107
crit [GHSA / CRITICAL] CVE-2026-47429: When Vitest UI server is listening, arbitrary file can be read and executed art-157
crit [GHSA / CRITICAL] CVE-2026-47391: PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution art-165
crit [GHSA / CRITICAL] CVE-2026-47393: PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default art-167
crit [GHSA / CRITICAL] CVE-2026-46614: Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any fu art-227
crit [GHSA / CRITICAL] CVE-2026-46354: Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft art-249
crit [GHSA / CRITICAL] CVE-2026-45697: Formie: Pre-authenticated server-side template injection in Hidden fields art-273
crit IT threat evolution in Q1 2026. Mobile statistics art-278
crit Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities art-302
high Astro Full-Read SSRF via Host Header Injection art-510
high How Harden Runner Detected the Sha1-Hulud Supply Chain Attack in CNCF's Backstage Repository art-652