EXPLORE
Sign In
← Back to Explore
T1021

Remote Services

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain c...

LinuxmacOSWindowsIaaSESXi
101
Detections
5
Sources
3
Threat Actors

BY SOURCE

84elastic10sigma4splunk_escu2crowdstrike_cql1kql

PROCEDURES (54)

Remote9 detections

Auto-extracted: 9 detections for remote

Unusual6 detections

Auto-extracted: 6 detections for unusual

Lateral6 detections

Auto-extracted: 6 detections for lateral

Registry4 detections

Auto-extracted: 4 detections for registry

Service4 detections

Auto-extracted: 4 detections for service

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Authentication Monitoring3 detections

Auto-extracted: 3 detections for authentication monitoring

Service3 detections

Auto-extracted: 3 detections for service

Dump2 detections

Auto-extracted: 2 detections for dump

Tunnel2 detections

Auto-extracted: 2 detections for tunnel

Service2 detections

Auto-extracted: 2 detections for service

Service2 detections

Auto-extracted: 2 detections for service

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Lateral2 detections

Auto-extracted: 2 detections for lateral

C22 detections

Auto-extracted: 2 detections for c2

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Powershell2 detections

Auto-extracted: 2 detections for powershell

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Remote2 detections

Auto-extracted: 2 detections for remote

Scheduled Task2 detections

Auto-extracted: 2 detections for scheduled task

Persist2 detections

Auto-extracted: 2 detections for persist

Unusual2 detections

Auto-extracted: 2 detections for unusual

Child Process1 detections

Auto-extracted: 1 detections for child process

Inject1 detections

Auto-extracted: 1 detections for inject

Wmi1 detections

Auto-extracted: 1 detections for wmi

Container1 detections

Auto-extracted: 1 detections for container

Aws1 detections

Auto-extracted: 1 detections for aws

Token1 detections

Auto-extracted: 1 detections for token

Token1 detections

Auto-extracted: 1 detections for token

Privilege1 detections

Auto-extracted: 1 detections for privilege

Wmi1 detections

Auto-extracted: 1 detections for wmi

Remote1 detections

Auto-extracted: 1 detections for remote

Lateral1 detections

Auto-extracted: 1 detections for lateral

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Inject1 detections

Auto-extracted: 1 detections for inject

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Container1 detections

Auto-extracted: 1 detections for container

Child Process1 detections

Auto-extracted: 1 detections for child process

Child Process1 detections

Auto-extracted: 1 detections for child process

Aws1 detections

Auto-extracted: 1 detections for aws

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Lateral1 detections

Auto-extracted: 1 detections for lateral

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Tunnel1 detections

Auto-extracted: 1 detections for tunnel

Wmi1 detections

Auto-extracted: 1 detections for wmi

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Dump1 detections

Auto-extracted: 1 detections for dump

Aws1 detections

Auto-extracted: 1 detections for aws

Inject1 detections

Auto-extracted: 1 detections for inject

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

THREAT ACTORS (3)

Aquatic PandaEmber BearWizard Spider

DETECTIONS (101)

Accepted Default Telnet Port Connection
elasticmedium
Attempt to Mount SMB Share via Command Line
elasticlow
AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization
elasticmedium
AWS EC2 Instance Connect SSH Public Key Uploaded
elasticmedium
AWS EC2 Instance Console Login via Assumed Role
elastichigh
AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity
elastichigh
AWS SSM Session Started to EC2 Instance
elasticmedium
Cisco Network Interface Modifications
splunk_escu
Cisco Secure Firewall - Communication Over Suspicious Ports
splunk_escu
Connection to External Network via Telnet
elasticmedium
Connection to Internal Network via Telnet
elasticmedium
Detect SMB File Copies
kql
Enable RDP In Other Port Number
splunk_escu
ESXi Shell Access Enabled
splunk_escu
Execution via TSClient Mountpoint
elastichigh
HackTool - NetExec Execution
sigmahigh
High Mean of Process Arguments in an RDP Session
elasticlow
High Mean of RDP Session Duration
elasticlow
High Variance in RDP Session Duration
elasticlow
Incoming DCOM Lateral Movement via MSHTA
elastichigh
Incoming DCOM Lateral Movement with MMC
elastichigh
Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
elasticmedium
Incoming Execution via PowerShell Remoting
elasticmedium
Incoming Execution via WinRM Remote Shell
elasticmedium
Kubelet API Connection Attempt to Internal IP
elasticmedium
Lateral Movement via Startup Folder
elastichigh
Linux SSH X11 Forwarding
elasticlow
Mounting Hidden or WebDav Remote Shares
elasticmedium
Network Connection Initiated by Suspicious SSHD Child Process
elasticmedium
Network-Level Authentication (NLA) Disabled
elasticlow
NullSessionPipe Registry Modification
elasticmedium
OpenCanary - FTP Login Attempt
sigmahigh
OpenCanary - SMB File Open Request
sigmahigh
OpenCanary - SNMP OID Request
sigmahigh
OpenCanary - SSH Login Attempt
sigmahigh
OpenCanary - SSH New Connection Attempt
sigmahigh
OpenCanary - VNC Connection Attempt
sigmahigh
Outbound Scheduled Task Activity via PowerShell
elasticmedium
Potential Direct Kubelet Access via Process Arguments
elastichigh
Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers
elastichigh
Potential Execution via SSH Backdoor
elasticmedium
Potential Internal Linux SSH Brute Force Detected
elasticmedium
Potential Lateral Tool Transfer via SMB Share
elasticmedium
Potential Machine Account Relay Attack via SMB
elastichigh
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potential Ransomware Behavior - Note Files by System
elasticmedium
Potential Ransomware Note File Dropped via SMB
elastichigh
Potential Remote Credential Access via Registry
elastichigh
Potential Remote Desktop Shadowing Activity
elastichigh
Potential Remote Desktop Tunneling
sigmamedium
Potential Remote Desktop Tunneling Detected
elastichigh
Potential SharpRDP Behavior
elastichigh
Potential THC Tool Downloaded
elastichigh
Privilege Escalation via Named Pipe Impersonation
sigmahigh
Psexec Execution
sigmamedium
PsExec Network Connection
elasticlow
RDP (Remote Desktop Protocol) from the Internet
elasticmedium
RDP Enabled via Registry
elasticmedium
Remote Desktop Enabled in Windows Firewall by Netsh
elasticmedium
Remote Execution via File Shares
elasticmedium
Remote File Copy to a Hidden Share
elasticmedium
Remote File Creation in World Writeable Directory
elasticmedium
Remote Interactive Logons (RDP)
crowdstrike_cql
Remote Interactive Logons (RDP)
crowdstrike_cql
Remote Scheduled Task Creation
elasticmedium
Remote Scheduled Task Creation via RPC
elasticmedium
Remote SSH Login Enabled via systemsetup Command
elasticmedium
Remote Windows Service Installed
elasticmedium
Remotely Started Services via RPC
elasticmedium
Renaming of OpenSSH Binaries
elasticlow
RPC (Remote Procedure Call) to the Internet
elastichigh
Service Command Lateral Movement
elasticlow
SMB Connections via LOLBin or Untrusted Process
elasticmedium
Spike in Number of Connections Made from a Source IP
elasticlow
Spike in Number of Connections Made to a Destination IP
elasticlow
Spike in Number of Processes in an RDP Session
elasticlow
SSH Authorized Key File Activity Detected via Defend for Containers
elasticmedium
SSH Authorized Keys File Activity
elasticmedium
SSH Key Generated via ssh-keygen
elasticlow
Successful SSH Authentication from Unusual IP Address
elasticlow
Successful SSH Authentication from Unusual SSH Public Key
elasticlow
Successful SSH Authentication from Unusual User
elasticlow
Suspicious Cmd Execution via WMI
elastichigh
Suspicious Execution from a WebDav Share
elastichigh
Suspicious File Renamed via SMB
elastichigh
Suspicious Process Execution via Renamed PsExec Executable
elasticmedium
Suspicious RDP ActiveX Client Loaded
elasticmedium
Suspicious Remote Registry Access via SeBackupPrivilege
elasticmedium
Unusual AWS Command for a User
elasticlow
Unusual Azure Activity Logs Event for a User
elasticlow
Unusual GCP Event for a User
elasticlow
Unusual Remote File Creation
elasticlow
Unusual Source IP for a User to Logon from
elasticlow
Unusual SSHD Child Process
elasticlow
Unusual Time or Day for an RDP Session
elasticlow
Unusual Windows Network Activity
elasticlow
Unusual Windows Remote User
elasticlow
Virtual Private Network Connection Attempt
elasticlow
VNC (Virtual Network Computing) to the Internet
elasticmedium
Windows Registry File Creation in SMB Share
elasticmedium
WMI Incoming Lateral Movement
elasticmedium