T1021

Remote Services

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain c...

LinuxmacOSWindowsIaaSESXi

Detections

Sources

Threat Actors

BY SOURCE

80elastic9sigma4splunk_escu1crowdstrike_cql

PROCEDURES (48)

Remote9 detections

Auto-extracted: 9 detections for remote

Unusual6 detections

Auto-extracted: 6 detections for unusual

Lateral6 detections

Auto-extracted: 6 detections for lateral

Service4 detections

Auto-extracted: 4 detections for service

Registry4 detections

Auto-extracted: 4 detections for registry

Service4 detections

Auto-extracted: 4 detections for service

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Authentication Monitoring3 detections

Auto-extracted: 3 detections for authentication monitoring

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Service2 detections

Auto-extracted: 2 detections for service

Service2 detections

Auto-extracted: 2 detections for service

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Powershell2 detections

Auto-extracted: 2 detections for powershell

Dump2 detections

Auto-extracted: 2 detections for dump

Aws2 detections

Auto-extracted: 2 detections for aws

Tunnel2 detections

Auto-extracted: 2 detections for tunnel

Lateral2 detections

Auto-extracted: 2 detections for lateral

Remote2 detections

Auto-extracted: 2 detections for remote

Scheduled Task2 detections

Auto-extracted: 2 detections for scheduled task

Persist2 detections

Auto-extracted: 2 detections for persist

Unusual2 detections

Auto-extracted: 2 detections for unusual

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Child Process1 detections

Auto-extracted: 1 detections for child process

Inject1 detections

Auto-extracted: 1 detections for inject

Aws1 detections

Auto-extracted: 1 detections for aws

Wmi1 detections

Auto-extracted: 1 detections for wmi

Aws1 detections

Auto-extracted: 1 detections for aws

Unusual1 detections

Auto-extracted: 1 detections for unusual

Bypass1 detections

Auto-extracted: 1 detections for bypass

Persist1 detections

Auto-extracted: 1 detections for persist

Bypass1 detections

Auto-extracted: 1 detections for bypass

Lateral1 detections

Auto-extracted: 1 detections for lateral

C21 detections

Auto-extracted: 1 detections for c2

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Child Process1 detections

Auto-extracted: 1 detections for child process

Api1 detections

Auto-extracted: 1 detections for api

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Inject1 detections

Auto-extracted: 1 detections for inject

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Lateral1 detections

Auto-extracted: 1 detections for lateral

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Wmi1 detections

Auto-extracted: 1 detections for wmi

Remote1 detections

Auto-extracted: 1 detections for remote

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Dump1 detections

Auto-extracted: 1 detections for dump

Remote Services

BY SOURCE

PROCEDURES (48)

THREAT ACTORS (3)

DETECTIONS (94)