Detect Remote Services in CrowdStrike LogScale
Adversaries may use Valid Accounts to log into services that accept remote connections, such as SSH, RDP, SMB, WinRM, VNC, and DCOM, to perform lateral movement. In enterprise environments where domains provide centralized identity management, compromised credentials allow adversaries to authenticate to many machines using remote access protocols. Adversaries may also abuse legitimate remote management tools such as Apple Remote Desktop (ARD) on macOS. Detection focuses on identifying anomalous authentication patterns, unusual source/destination pairs, off-hours access, atypical account usage, and service abuse sequences consistent with credential-driven lateral movement.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Canonical reference
- https://attack.mitre.org/techniques/T1021/
LogScale Detection Query
// T1021 Remote Services — Lateral Movement via Remote Authentication
// CrowdStrike Falcon LogScale (Humio CQL)
#event_simpleName = /^(UserLogon|UserLogonFailed2)$/
| LogonType = /^(3|10)$/
| RemoteAddressIP4 != ""
| RemoteAddressIP4 != "127.0.0.1"
| TargetUserName != /.*\$$/
| TargetUserName != "ANONYMOUS LOGON"
| TargetUserName != "LOCAL SERVICE"
| TargetUserName != "NETWORK SERVICE"
| hour := formatTime(format="%H", field=ContextTimeStamp)
| IsAfterHours := if(toLong(hour) < 6, 1, 0)
| IsPrivileged := if(TargetUserName = /(?i)(admin|administrator|svc-|service|backup)/, 1, 0)
| IsFailed := if(#event_simpleName = "UserLogonFailed2", 1, 0)
| groupBy([RemoteAddressIP4, TargetUserName], function=[
count(as=TotalLogons),
countDistinct(ComputerName, as=UniqueTargetHosts),
collect(ComputerName, multival=true, as=TargetHosts),
max(IsAfterHours, as=AnyAfterHours),
max(IsPrivileged, as=AnyPrivileged),
sum(IsFailed, as=FailedLogons),
min(ContextTimeStamp, as=FirstSeen),
max(ContextTimeStamp, as=LastSeen)
])
| FailedRatio := round(FailedLogons / TotalLogons, 2)
| SuspicionScore :=
AnyAfterHours
+ AnyPrivileged
+ if(UniqueTargetHosts > 3, 2, if(UniqueTargetHosts > 1, 1, 0))
+ if(FailedRatio > 0.5 and (TotalLogons - FailedLogons) > 0, 2, 0)
| where SuspicionScore >= 2 or UniqueTargetHosts > 3
| sort(SuspicionScore, order=desc)
| select([FirstSeen, LastSeen, RemoteAddressIP4, TargetUserName,
UniqueTargetHosts, TargetHosts, TotalLogons, FailedLogons,
FailedRatio, AnyAfterHours, AnyPrivileged, SuspicionScore])CrowdStrike Falcon LogScale (Humio CQL) query for T1021 Remote Services lateral movement using native Falcon UserLogon and UserLogonFailed2 telemetry events. Filters for Logon Types 3 (Network/SMB) and 10 (RemoteInteractive/RDP) from non-loopback remote IPs, excluding machine accounts and built-in service identities. Groups by source IP and target username, computing a suspicion score from four dimensions: off-hours timing, privileged account naming, unique target host spread, and failed-to-success login ratio. Outputs ranked results for analyst triage. Requires CrowdStrike Falcon sensor deployed on Windows endpoints with authentication telemetry enabled; ContextTimeStamp is epoch milliseconds.
Data Sources
Required Tables
False Positives & Tuning
- Falcon-enrolled administrative hosts used as jump servers by IT operations will produce UserLogon events with a single RemoteAddressIP4 authenticating to many distinct ComputerName values in a short window during infrastructure work.
- Automated software distribution and endpoint management tools (Microsoft SCCM, PDQ Deploy, ManageEngine) push software to multiple endpoints via SMB using a service account, creating type 3 network logon bursts that match multi-host thresholds.
- VDI broker servers (Citrix, VMware Horizon) managing session allocation to desktop pools authenticate from a single broker IP to many virtual machine hosts, generating logon patterns that closely resemble lateral movement in both host count and timing.
Other platforms for T1021
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RDP Lateral Movement to localhost (logon type 10)
Expected signal: Security Event ID 4624 on localhost with LogonType=10, TargetUserName=current user, IpAddress=127.0.0.1. Security Event ID 4648 (Explicit Credential Logon) for the cmdkey credential staging. Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational: EventID 1149 (User authentication succeeded) with client IP 127.0.0.1.
- Test 2SMB Network Logon to admin share (logon type 3)
Expected signal: On TARGET_HOST — Security Event ID 4624 with LogonType=3, source IP = testing machine IP, TargetUserName=testuser. Security Event ID 4776 (NTLM credential validation) if NTLM is used. Optionally Security Event ID 5140 (network share accessed) and 5145 (share object access) if share auditing is enabled. Sysmon Event ID 3 on source machine showing outbound TCP to TARGET_HOST:445.
- Test 3WinRM remote command execution (lateral movement via PowerShell Remoting)
Expected signal: On TARGET_HOST — Security Event ID 4624 LogonType=3 with source IP of testing machine. Microsoft-Windows-WinRM/Operational EventID 91 (Creating WSMan session) and EventID 169 (User authenticated successfully). PowerShell ScriptBlock Log Event ID 4104 on TARGET_HOST with the executed commands. Sysmon Event ID 3 on source machine: outbound TCP to TARGET_HOST:5985 (HTTP) or 5986 (HTTPS).
- Test 4SSH lateral movement (Linux — key-based authentication to remote host)
Expected signal: On REMOTE_HOST — /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS): 'Accepted publickey for testuser from SOURCE_IP port PORT ssh2'. auditd (if enabled): SYSCALL records for sshd process with uid mapping. Syslog entries: sshd[PID]: session opened for user testuser by (uid=0). On source host: ~/.ssh/known_hosts updated if new host.
References (11)
- https://attack.mitre.org/techniques/T1021/
- https://www.ssh.com/academy/ssh/protocol
- https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/welcome-to-rds
- https://learn.microsoft.com/en-us/windows/win32/winrm/portal
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicelogonevents-table
- https://www.mandiant.com/resources/blog/fin12-ransomware-intrusion-actor-targeting-healthcare-sector
- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
- https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security
Unlock Pro Content
Get the full detection package for T1021 including response playbook, investigation guide, and atomic red team tests.