Detect Remote Services in Google Chronicle
Adversaries may use Valid Accounts to log into services that accept remote connections, such as SSH, RDP, SMB, WinRM, VNC, and DCOM, to perform lateral movement. In enterprise environments where domains provide centralized identity management, compromised credentials allow adversaries to authenticate to many machines using remote access protocols. Adversaries may also abuse legitimate remote management tools such as Apple Remote Desktop (ARD) on macOS. Detection focuses on identifying anomalous authentication patterns, unusual source/destination pairs, off-hours access, atypical account usage, and service abuse sequences consistent with credential-driven lateral movement.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Canonical reference
- https://attack.mitre.org/techniques/T1021/
YARA-L Detection Query
rule t1021_remote_services_lateral_movement {
meta:
author = "Argus Detection Platform"
description = "T1021 Remote Services — lateral movement via RDP and Network logons from a single source IP authenticating to multiple distinct hosts"
mitre_attack_tactic = "Lateral Movement"
mitre_attack_technique = "T1021"
severity = "HIGH"
priority = "HIGH"
reference = "https://attack.mitre.org/techniques/T1021/"
events:
$login.metadata.event_type = "USER_LOGIN"
(
$login.metadata.product_event_type = "4624" OR
$login.metadata.product_event_type = "4625"
)
(
$login.network.session_type = "REMOTE_INTERACTIVE" OR
$login.network.session_type = "NETWORK" OR
re.regex($login.extensions.auth.auth_details, `LogonType=(3|10)`)
)
$login.principal.ip != ""
$login.principal.ip != "127.0.0.1"
$login.principal.ip != "::1"
NOT re.regex($login.target.user.userid, `.*\$`)
NOT (
$login.target.user.userid = "ANONYMOUS LOGON" OR
$login.target.user.userid = "LOCAL SERVICE" OR
$login.target.user.userid = "NETWORK SERVICE"
)
$src_ip = $login.principal.ip
$username = $login.target.user.userid
$dst_host = $login.target.hostname
match:
$src_ip, $username over 24h
outcome:
$unique_target_hosts = count_distinct($dst_host)
$total_logons = count($login)
$is_privileged = max(
if(re.regex($username, `(?i)(admin|administrator|svc-|service|backup)`), 1, 0)
)
$any_after_hours = max(
if(timestamp.extract_hour($login.metadata.event_timestamp) < 6, 1, 0)
)
$risk_score = $is_privileged + $any_after_hours +
if($unique_target_hosts > 3, 2, if($unique_target_hosts > 1, 1, 0))
condition:
#login > 1 and ($unique_target_hosts >= 2 or $risk_score >= 2)
}Chronicle YARA-L 2.0 detection rule for T1021 Remote Services lateral movement. Matches USER_LOGIN UDM events derived from Windows Security Event IDs 4624 and 4625 with remote logon session types (NETWORK or REMOTE_INTERACTIVE) or a raw LogonType field match. Correlates events by source IP and username over a 24-hour window, firing when the same credential authenticates to 2+ distinct target hostnames or achieves a risk score >= 2 based on privileged account naming and after-hours access (UTC midnight–06:00). Requires Chronicle UDM normalization of Windows Security logs with principal.ip, target.user.userid, and target.hostname populated; tune session_type matching to your Chronicle parser configuration.
Data Sources
Required Tables
False Positives & Tuning
- Infrastructure automation tools (Terraform, Ansible, Salt) authenticating to multiple Windows VMs simultaneously from a CI/CD runner IP satisfy the multi-host threshold without adversarial intent.
- Active Directory health monitoring solutions that log into domain controllers and member servers sequentially to validate replication, DNS, and service health generate legitimate multi-target authentication bursts using privileged monitoring accounts.
- End users on VPN who legitimately use RDP to connect to different remote desktops or server workloads from a single VPN-assigned IP will trigger the REMOTE_INTERACTIVE session type detection, particularly if their account names include role indicators like 'admin'.
Other platforms for T1021
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RDP Lateral Movement to localhost (logon type 10)
Expected signal: Security Event ID 4624 on localhost with LogonType=10, TargetUserName=current user, IpAddress=127.0.0.1. Security Event ID 4648 (Explicit Credential Logon) for the cmdkey credential staging. Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational: EventID 1149 (User authentication succeeded) with client IP 127.0.0.1.
- Test 2SMB Network Logon to admin share (logon type 3)
Expected signal: On TARGET_HOST — Security Event ID 4624 with LogonType=3, source IP = testing machine IP, TargetUserName=testuser. Security Event ID 4776 (NTLM credential validation) if NTLM is used. Optionally Security Event ID 5140 (network share accessed) and 5145 (share object access) if share auditing is enabled. Sysmon Event ID 3 on source machine showing outbound TCP to TARGET_HOST:445.
- Test 3WinRM remote command execution (lateral movement via PowerShell Remoting)
Expected signal: On TARGET_HOST — Security Event ID 4624 LogonType=3 with source IP of testing machine. Microsoft-Windows-WinRM/Operational EventID 91 (Creating WSMan session) and EventID 169 (User authenticated successfully). PowerShell ScriptBlock Log Event ID 4104 on TARGET_HOST with the executed commands. Sysmon Event ID 3 on source machine: outbound TCP to TARGET_HOST:5985 (HTTP) or 5986 (HTTPS).
- Test 4SSH lateral movement (Linux — key-based authentication to remote host)
Expected signal: On REMOTE_HOST — /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS): 'Accepted publickey for testuser from SOURCE_IP port PORT ssh2'. auditd (if enabled): SYSCALL records for sshd process with uid mapping. Syslog entries: sshd[PID]: session opened for user testuser by (uid=0). On source host: ~/.ssh/known_hosts updated if new host.
References (11)
- https://attack.mitre.org/techniques/T1021/
- https://www.ssh.com/academy/ssh/protocol
- https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/welcome-to-rds
- https://learn.microsoft.com/en-us/windows/win32/winrm/portal
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicelogonevents-table
- https://www.mandiant.com/resources/blog/fin12-ransomware-intrusion-actor-targeting-healthcare-sector
- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
- https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security
Unlock Pro Content
Get the full detection package for T1021 including response playbook, investigation guide, and atomic red team tests.