1. Home
  2. Detection Strategies
  3. Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity

Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity

Technique Detected:  Remote Services | T1021

ID: DET0269
Domains: Enterprise
Analytics: AN0750, AN0751, AN0752, AN0753, AN0754
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0750

Logon via RDP or WMI by a user account followed by uncommon command execution, file manipulation, or lateral network connections.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624 (LogonType=10 or 3), EventCode=4648
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Mutable Elements
Field Description
TimeWindow Correlation window between remote login and post-access activity
LogonUser Limit to service accounts or privileged users for higher fidelity
RemoteHostList Allowlisting known admin jumpboxes or deployment tools

AN0751

SSH session from new source IP followed by interactive shell or privilege escalation (e.g., sudo, su) and outbound lateral connection.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) linux:syslog sshd: Accepted password/publickey
Command Execution (DC0064) auditd:SYSCALL execve, USER_CMD
Mutable Elements
Field Description
SourceIP Limit to new/unexpected SSH source IPs
CommandList Flag suspicious post-SSH command patterns

AN0752

Remote login via ARD or SSH followed by screensharingd process activity or modification of TCC-protected files.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) macos:unifiedlog eventMessage CONTAINS 'screensharingd' or 'AuthorizationRefCreate'
Process Creation (DC0032) macos:osquery process_events
Mutable Elements
Field Description
RemoteService Differentiate ARD vs SSH access patterns
TargetedPath Tunable list of sensitive directories or TCC targets

AN0753

Use of cloud-based bastion or VM console session followed by commands that initiate outbound SSH or RDP sessions from the cloud instance to other environments.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) AWS:CloudTrail AWS ConsoleLogin, StartSession
Network Connection Creation (DC0082) AWS:VPCFlowLogs Outbound connections to port 22, 3389
Mutable Elements
Field Description
SourceAssetTag Limit detection to cloud admin/bastion hosts
TargetPortList Define critical remote service ports to flag

AN0754

vSphere API logins (vimService) or SSH to ESXi host followed by unauthorized shell commands or lateral remote logins from the ESXi host.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) esxi:vmkernel vim.fault.*, DCUI login, SSH shell
Command Execution (DC0064) esxi:shell Command execution trace
Mutable Elements
Field Description
SessionType Filter by DCUI, SSH, vSphere API
CommandPattern Watch for remote access tool invocations (e.g., netcat, ssh)