T1021

Remote Services

Adversaries may use Valid Accounts to log into services that accept remote connections, such as SSH, RDP, SMB, WinRM, VNC, and DCOM, to perform lateral movement. In enterprise environments where domains provide centralized identity management, compromised credentials allow adversaries to authenticate to many machines using remote access protocols. Adversaries may also abuse legitimate remote management tools such as Apple Remote Desktop (ARD) on macOS. Detection focuses on identifying anomalous authentication patterns, unusual source/destination pairs, off-hours access, atypical account usage, and service abuse sequences consistent with credential-driven lateral movement.

Microsoft Sentinel / Defender

kusto

// T1021 Remote Services — Lateral Movement via Remote Authentication
// Covers: RDP (logon type 10), Network logons (type 3), and anomalous remote auth patterns
let LookbackWindow = 24h;
let PrivilegedAccounts = dynamic(["administrator", "admin", "svc-", "service", "backup"]);
let SuspiciousHours = range(0, 5);  // midnight to 5am
// Branch 1: Remote Interactive / RDP logons (Logon Type 10) from unusual sources
let RemoteInteractiveLogons = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4624
| where LogonType == 10  // RemoteInteractive (RDP)
| extend SourceHost = IpAddress
| where isnotempty(SourceHost) and SourceHost !in ("127.0.0.1", "::1", "-")
| extend IsAfterHours = hourofday(TimeGenerated) in (SuspiciousHours)
| extend IsPrivilegedAccount = TargetUserName has_any (PrivilegedAccounts)
| project TimeGenerated, Computer, TargetUserName, TargetDomainName, SourceHost,
         LogonType, LogonTypeName="RemoteInteractive", IsAfterHours, IsPrivilegedAccount,
         ProcessName, AuthenticationPackageName;
// Branch 2: Network logons (Logon Type 3) — SMB, WinRM, lateral movement
let NetworkLogons = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4624
| where LogonType == 3  // Network
| extend SourceHost = IpAddress
| where isnotempty(SourceHost) and SourceHost !in ("127.0.0.1", "::1", "-")
| where TargetUserName !endswith "$"  // exclude machine accounts
| where TargetUserName !in~ ("ANONYMOUS LOGON", "LOCAL SERVICE", "NETWORK SERVICE")
| extend IsAfterHours = hourofday(TimeGenerated) in (SuspiciousHours)
| extend IsPrivilegedAccount = TargetUserName has_any (PrivilegedAccounts)
| project TimeGenerated, Computer, TargetUserName, TargetDomainName, SourceHost,
         LogonType, LogonTypeName="Network", IsAfterHours, IsPrivilegedAccount,
         ProcessName, AuthenticationPackageName;
// Branch 3: MDE DeviceLogonEvents — enriched remote logon telemetry
let MdeRemoteLogons = DeviceLogonEvents
| where Timestamp > ago(LookbackWindow)
| where LogonType in ("RemoteInteractive", "Network", "NetworkCleartext")
| where isnotempty(RemoteIP) and RemoteIP !in ("127.0.0.1", "::1")
| where ActionType == "LogonSuccess"
| extend IsAfterHours = hourofday(Timestamp) in (SuspiciousHours)
| extend IsPrivilegedAccount = AccountName has_any (PrivilegedAccounts)
| project TimeGenerated=Timestamp, Computer=DeviceName, TargetUserName=AccountName,
         TargetDomainName=AccountDomain, SourceHost=RemoteIP, LogonType,
         LogonTypeName=LogonType, IsAfterHours, IsPrivilegedAccount,
         ProcessName=InitiatingProcessFileName, AuthenticationPackageName="MDE";
// Combine and flag high-interest events
union RemoteInteractiveLogons, NetworkLogons, MdeRemoteLogons
| extend RiskScore = case(
    IsAfterHours and IsPrivilegedAccount, 3,
    IsAfterHours or IsPrivilegedAccount, 2,
    true, 1)
| where RiskScore >= 1
| summarize LogonCount=count(),
            TargetHosts=make_set(Computer),
            TargetHostCount=dcount(Computer),
            FirstSeen=min(TimeGenerated),
            LastSeen=max(TimeGenerated),
            LogonTypes=make_set(LogonTypeName),
            MaxRiskScore=max(RiskScore)
  by TargetUserName, TargetDomainName, SourceHost
| where TargetHostCount > 1 or MaxRiskScore >= 2  // Lateral spread or high-risk single hop
| sort by MaxRiskScore desc, TargetHostCount desc

high severity medium confidence

Data Sources

Logon Session: Logon Session Creation Network Traffic: Network Connection Creation Windows Security Event Log Microsoft Defender for Endpoint

Required Tables

SecurityEvent DeviceLogonEvents

False Positives

IT administrators performing routine remote management across multiple servers using RDP or WinRM during business hours
Service accounts with legitimate need to authenticate to multiple systems (backup agents, monitoring solutions, SCCM/Intune management)
Help desk staff using Remote Desktop to provide support to end users — generates high-volume type 10 logons from a single source
Jump server / bastion host authentication patterns where a single source IP authenticates to many destination hosts as a normal workflow
Vulnerability scanners and infrastructure automation tools (Ansible, Puppet, Chef) that authenticate network-wide via type 3 logons

Splunk

spl

| union
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624
  (LogonType=3 OR LogonType=10)
  NOT (TargetUserName="ANONYMOUS LOGON" OR TargetUserName="LOCAL SERVICE" OR TargetUserName="NETWORK SERVICE")
  NOT (TargetUserName="*$")
  NOT (IpAddress="127.0.0.1" OR IpAddress="::1" OR IpAddress="-")
  | eval LogonTypeName=case(LogonType="3", "Network", LogonType="10", "RemoteInteractive", true(), "Other")
  | eval SourceHost=IpAddress
  | eval TargetUser=TargetUserName
  | eval TargetHost=ComputerName
]
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625
  (LogonType=3 OR LogonType=10)
  NOT (IpAddress="127.0.0.1" OR IpAddress="::1" OR IpAddress="-")
  | eval LogonTypeName="FAILED-" + case(LogonType="3", "Network", LogonType="10", "RemoteInteractive", true(), "Other")
  | eval SourceHost=IpAddress
  | eval TargetUser=TargetUserName
  | eval TargetHost=ComputerName
]
| eval HourOfDay=strftime(_time, "%H")
| eval IsAfterHours=if(HourOfDay < "06" OR HourOfDay > "22", 1, 0)
| eval IsPrivileged=if(match(lower(TargetUser), "(admin|administrator|svc-|service|backup)"), 1, 0)
| eval IsFailed=if(match(LogonTypeName, "^FAILED"), 1, 0)
| eval RiskScore=IsAfterHours + IsPrivileged + (IsFailed * 0)
| stats
    count as TotalLogons,
    sum(IsFailed) as FailedLogons,
    sum(eval(if(IsFailed=0,1,0))) as SuccessLogons,
    dc(TargetHost) as UniqueTargetHosts,
    values(TargetHost) as TargetHosts,
    values(LogonTypeName) as LogonTypes,
    max(RiskScore) as MaxRiskScore,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
  by SourceHost, TargetUser
| eval FailRatio=round(FailedLogons / TotalLogons, 2)
| eval SuspicionScore=MaxRiskScore + (if(UniqueTargetHosts > 3, 2, if(UniqueTargetHosts > 1, 1, 0))) + (if(FailRatio > 0.5 AND SuccessLogons > 0, 2, 0))
| where SuspicionScore >= 2 OR UniqueTargetHosts > 3
| table FirstSeen, LastSeen, SourceHost, TargetUser, UniqueTargetHosts, TargetHosts, TotalLogons, FailedLogons, SuccessLogons, FailRatio, LogonTypes, SuspicionScore
| sort - SuspicionScore

high severity medium confidence

Data Sources

Logon Session: Logon Session Creation Windows Security Event Log Authentication: Authentication

Required Sourcetypes

WinEventLog:Security

False Positives

IT administrators performing routine remote management across multiple servers
Service accounts for backup, monitoring, or deployment tools that authenticate to many hosts
Jump server / bastion host accounts showing high-volume remote logons from a single source IP
Scheduled tasks or automation scripts that initiate network logons to multiple destinations
Security scanners (Nessus, Tenable, Qualys) that authenticate to hosts for credentialed scanning

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS last_seen,
  sourceip AS source_ip,
  username AS target_user,
  COUNT(*) AS total_logons,
  SUM(CASE WHEN eventid = 4625 THEN 1 ELSE 0 END) AS failed_logons,
  SUM(CASE WHEN eventid = 4624 THEN 1 ELSE 0 END) AS success_logons,
  COUNT(DISTINCT destinationip) AS unique_target_hosts,
  MAX(CASE
    WHEN LOWER(username) LIKE '%admin%'
      OR LOWER(username) LIKE '%svc-%'
      OR LOWER(username) LIKE '%service%'
      OR LOWER(username) LIKE '%backup%'
    THEN 1 ELSE 0 END) AS is_privileged,
  MAX(CASE
    WHEN LONG(DATEFORMAT(starttime, 'HH')) < 6
    THEN 1 ELSE 0 END) AS any_after_hours,
  (
    COUNT(DISTINCT destinationip)
    + MAX(CASE WHEN LOWER(username) LIKE '%admin%' OR LOWER(username) LIKE '%svc-%' THEN 1 ELSE 0 END)
    + MAX(CASE WHEN LONG(DATEFORMAT(starttime, 'HH')) < 6 THEN 1 ELSE 0 END)
    + CASE WHEN SUM(CASE WHEN eventid=4625 THEN 1.0 ELSE 0 END) / NULLIF(COUNT(*),0) > 0.5
            AND SUM(CASE WHEN eventid=4624 THEN 1 ELSE 0 END) > 0
           THEN 2 ELSE 0 END
  ) AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Windows Security%'
  AND eventid IN (4624, 4625)
  AND "LogonType" IN ('3', '10')
  AND sourceip IS NOT NULL
  AND sourceip NOT IN ('127.0.0.1', '0.0.0.0', '-', '')
  AND LOWER(username) NOT LIKE '%$'
  AND username NOT IN ('ANONYMOUS LOGON', 'LOCAL SERVICE', 'NETWORK SERVICE', '')
  AND LAST 24 HOURS
GROUP BY sourceip, username
HAVING COUNT(DISTINCT destinationip) > 1
  OR (
    MAX(CASE WHEN LOWER(username) LIKE '%admin%' OR LOWER(username) LIKE '%svc-%' THEN 1 ELSE 0 END) = 1
    AND MAX(CASE WHEN LONG(DATEFORMAT(starttime, 'HH')) < 6 THEN 1 ELSE 0 END) = 1
  )
ORDER BY unique_target_hosts DESC, suspicion_score DESC

high severity medium confidence

Data Sources

Windows Security Event Log via QRadar WinCollect agent or Syslog forwarder Microsoft Windows Security DSM for IBM QRadar

Required Tables

events

False Positives

Enterprise service desk or remote desktop broker solutions (e.g., Citrix Delivery Controller, VMware Horizon Connection Server) authenticate to pools of VDI or RDSH hosts from a single IP, generating large multi-target type 10 logon bursts.
Active Directory domain controllers performing replication and Kerberos service operations produce numerous type 3 network logon events between infrastructure hosts, and DCs often carry names matching 'service' or 'admin' patterns.
Scheduled tasks or Windows services configured to run under named service accounts (matching svc-/admin patterns) that mount remote network shares or invoke WMI queries against multiple targets for legitimate business automation.

Sumo Logic CSE

sql

(_sourceCategory=*/Windows/*Security* OR _sourceCategory=*WinEventLog*)
| where (EventCode = "4624" OR EventCode = "4625")
| where (LogonType = "3" OR LogonType = "10")
| where !isNull(IpAddress) AND IpAddress != "127.0.0.1" AND IpAddress != "::1" AND IpAddress != "-"
| where !matches(TargetUserName, ".*\\$")
| where TargetUserName not in ("ANONYMOUS LOGON","LOCAL SERVICE","NETWORK SERVICE")
| if (EventCode = "4625", 1, 0) as IsFailed
| if (matches(TargetUserName, "(?i)(admin|administrator|svc-|service|backup)"), 1, 0) as IsPrivileged
| if (toLong(formatDate(_messageTime, "HH")) < 6, 1, 0) as IsAfterHours
| if (LogonType = "10", "RemoteInteractive", "Network") as LogonTypeName
| count as TotalLogons,
  sum(IsFailed) as FailedLogons,
  sum(if(IsFailed = 0, 1, 0)) as SuccessLogons,
  dcount(Computer) as UniqueTargetHosts,
  values(Computer) as TargetHosts,
  max(IsPrivileged) as HasPrivileged,
  max(IsAfterHours) as HasAfterHours,
  first(LogonTypeName) as LogonTypes,
  min(_messageTime) as FirstSeen,
  max(_messageTime) as LastSeen
  by IpAddress, TargetUserName
| (HasPrivileged + HasAfterHours
   + if(UniqueTargetHosts > 3, 2, if(UniqueTargetHosts > 1, 1, 0))
   + if((TotalLogons > 0 AND FailedLogons * 1.0 / TotalLogons > 0.5 AND SuccessLogons > 0), 2, 0)
  ) as SuspicionScore
| where SuspicionScore >= 2 OR UniqueTargetHosts > 3
| fields IpAddress, TargetUserName, TotalLogons, FailedLogons, SuccessLogons,
         UniqueTargetHosts, TargetHosts, LogonTypes,
         HasPrivileged, HasAfterHours, SuspicionScore, FirstSeen, LastSeen
| sort by SuspicionScore desc

high severity medium confidence

Data Sources

Windows Security Event Log via Sumo Logic Installed Collector (Local Windows Event Log source) Sumo Logic Cloud Syslog or HTTP Source receiving forwarded Windows Security events

Required Tables

_sourceCategory=*/Windows/*Security*

False Positives

Privileged access workstations (PAWs) assigned to IT operations staff who RDP into multiple servers in quick succession during incident response or routine maintenance will score high on both privileged account and multi-host dimensions.
Automated CI/CD pipeline agents (Azure DevOps, Jenkins, TeamCity) that authenticate to Windows build agents or deployment targets using service accounts trigger both the privileged naming pattern and multi-host spread thresholds.
Network monitoring systems (PRTG, Zabbix, Nagios) that poll Windows hosts via WMI or DCOM — both of which use type 3 network logons — generate a continuous stream of network authentication from a single monitoring server IP.

Google Chronicle / SecOps

yaral

rule t1021_remote_services_lateral_movement {
  meta:
    author = "Argus Detection Platform"
    description = "T1021 Remote Services — lateral movement via RDP and Network logons from a single source IP authenticating to multiple distinct hosts"
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1021"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1021/"

  events:
    $login.metadata.event_type = "USER_LOGIN"
    (
      $login.metadata.product_event_type = "4624" OR
      $login.metadata.product_event_type = "4625"
    )
    (
      $login.network.session_type = "REMOTE_INTERACTIVE" OR
      $login.network.session_type = "NETWORK" OR
      re.regex($login.extensions.auth.auth_details, `LogonType=(3|10)`)
    )
    $login.principal.ip != ""
    $login.principal.ip != "127.0.0.1"
    $login.principal.ip != "::1"
    NOT re.regex($login.target.user.userid, `.*\$`)
    NOT (
      $login.target.user.userid = "ANONYMOUS LOGON" OR
      $login.target.user.userid = "LOCAL SERVICE" OR
      $login.target.user.userid = "NETWORK SERVICE"
    )
    $src_ip = $login.principal.ip
    $username = $login.target.user.userid
    $dst_host = $login.target.hostname

  match:
    $src_ip, $username over 24h

  outcome:
    $unique_target_hosts = count_distinct($dst_host)
    $total_logons = count($login)
    $is_privileged = max(
      if(re.regex($username, `(?i)(admin|administrator|svc-|service|backup)`), 1, 0)
    )
    $any_after_hours = max(
      if(timestamp.extract_hour($login.metadata.event_timestamp) < 6, 1, 0)
    )
    $risk_score = $is_privileged + $any_after_hours +
      if($unique_target_hosts > 3, 2, if($unique_target_hosts > 1, 1, 0))

  condition:
    #login > 1 and ($unique_target_hosts >= 2 or $risk_score >= 2)
}

high severity high confidence

Data Sources

Google Chronicle SIEM with Windows Security Event Log ingestion via Chronicle forwarder or Google Cloud integration Chronicle UDM normalized authentication events from Windows domain controllers and member endpoints

Required Tables

USER_LOGIN UDM events (Windows Security log source via Chronicle parser)

False Positives

Infrastructure automation tools (Terraform, Ansible, Salt) authenticating to multiple Windows VMs simultaneously from a CI/CD runner IP satisfy the multi-host threshold without adversarial intent.
Active Directory health monitoring solutions that log into domain controllers and member servers sequentially to validate replication, DNS, and service health generate legitimate multi-target authentication bursts using privileged monitoring accounts.
End users on VPN who legitimately use RDP to connect to different remote desktops or server workloads from a single VPN-assigned IP will trigger the REMOTE_INTERACTIVE session type detection, particularly if their account names include role indicators like 'admin'.

CrowdStrike LogScale (CQL)

cql

// T1021 Remote Services — Lateral Movement via Remote Authentication
// CrowdStrike Falcon LogScale (Humio CQL)
#event_simpleName = /^(UserLogon|UserLogonFailed2)$/
| LogonType = /^(3|10)$/
| RemoteAddressIP4 != ""
| RemoteAddressIP4 != "127.0.0.1"
| TargetUserName != /.*\$$/
| TargetUserName != "ANONYMOUS LOGON"
| TargetUserName != "LOCAL SERVICE"
| TargetUserName != "NETWORK SERVICE"
| hour := formatTime(format="%H", field=ContextTimeStamp)
| IsAfterHours := if(toLong(hour) < 6, 1, 0)
| IsPrivileged := if(TargetUserName = /(?i)(admin|administrator|svc-|service|backup)/, 1, 0)
| IsFailed := if(#event_simpleName = "UserLogonFailed2", 1, 0)
| groupBy([RemoteAddressIP4, TargetUserName], function=[
    count(as=TotalLogons),
    countDistinct(ComputerName, as=UniqueTargetHosts),
    collect(ComputerName, multival=true, as=TargetHosts),
    max(IsAfterHours, as=AnyAfterHours),
    max(IsPrivileged, as=AnyPrivileged),
    sum(IsFailed, as=FailedLogons),
    min(ContextTimeStamp, as=FirstSeen),
    max(ContextTimeStamp, as=LastSeen)
  ])
| FailedRatio := round(FailedLogons / TotalLogons, 2)
| SuspicionScore :=
    AnyAfterHours
    + AnyPrivileged
    + if(UniqueTargetHosts > 3, 2, if(UniqueTargetHosts > 1, 1, 0))
    + if(FailedRatio > 0.5 and (TotalLogons - FailedLogons) > 0, 2, 0)
| where SuspicionScore >= 2 or UniqueTargetHosts > 3
| sort(SuspicionScore, order=desc)
| select([FirstSeen, LastSeen, RemoteAddressIP4, TargetUserName,
          UniqueTargetHosts, TargetHosts, TotalLogons, FailedLogons,
          FailedRatio, AnyAfterHours, AnyPrivileged, SuspicionScore])

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor authentication telemetry (UserLogon and UserLogonFailed2 event types) Falcon Data Replicator (FDR) S3 pipeline or Falcon LogScale direct ingest via Falcon SIEM Connector

Required Tables

#event_simpleName=UserLogon #event_simpleName=UserLogonFailed2

False Positives

Falcon-enrolled administrative hosts used as jump servers by IT operations will produce UserLogon events with a single RemoteAddressIP4 authenticating to many distinct ComputerName values in a short window during infrastructure work.
Automated software distribution and endpoint management tools (Microsoft SCCM, PDQ Deploy, ManageEngine) push software to multiple endpoints via SMB using a service account, creating type 3 network logon bursts that match multi-host thresholds.
VDI broker servers (Citrix, VMware Horizon) managing session allocation to desktop pools authenticate from a single broker IP to many virtual machine hosts, generating logon patterns that closely resemble lateral movement in both host count and timing.

Last updated: 2026-04-13 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1021 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Remote Services

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (8)

Same Tactic: Lateral Movement

Popular Detections