Remote Services

Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).[1][2]

ID: T1021
Platforms: Linux, Windows, macOS
System Requirements: Active remote service accepting connections and valid credentials
Data Sources: Command: Command Execution, Logon Session: Logon Session Creation, Module: Module Load, Network Share: Network Share Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Version: 1.1
Created: 31 May 2017
Last Modified: 25 March 2020

Procedure Examples

ID Name Description
S0437 Kivars

Kivars has the ability to remotely trigger keyboard input and mouse clicks. [3]


ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication on remote service logons where possible.

M1018 User Account Management

Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.


Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.