T1021 IBM QRadar · QRadar

Detect Remote Services in IBM QRadar

Adversaries may use Valid Accounts to log into services that accept remote connections, such as SSH, RDP, SMB, WinRM, VNC, and DCOM, to perform lateral movement. In enterprise environments where domains provide centralized identity management, compromised credentials allow adversaries to authenticate to many machines using remote access protocols. Adversaries may also abuse legitimate remote management tools such as Apple Remote Desktop (ARD) on macOS. Detection focuses on identifying anomalous authentication patterns, unusual source/destination pairs, off-hours access, atypical account usage, and service abuse sequences consistent with credential-driven lateral movement.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Canonical reference
https://attack.mitre.org/techniques/T1021/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS last_seen,
  sourceip AS source_ip,
  username AS target_user,
  COUNT(*) AS total_logons,
  SUM(CASE WHEN eventid = 4625 THEN 1 ELSE 0 END) AS failed_logons,
  SUM(CASE WHEN eventid = 4624 THEN 1 ELSE 0 END) AS success_logons,
  COUNT(DISTINCT destinationip) AS unique_target_hosts,
  MAX(CASE
    WHEN LOWER(username) LIKE '%admin%'
      OR LOWER(username) LIKE '%svc-%'
      OR LOWER(username) LIKE '%service%'
      OR LOWER(username) LIKE '%backup%'
    THEN 1 ELSE 0 END) AS is_privileged,
  MAX(CASE
    WHEN LONG(DATEFORMAT(starttime, 'HH')) < 6
    THEN 1 ELSE 0 END) AS any_after_hours,
  (
    COUNT(DISTINCT destinationip)
    + MAX(CASE WHEN LOWER(username) LIKE '%admin%' OR LOWER(username) LIKE '%svc-%' THEN 1 ELSE 0 END)
    + MAX(CASE WHEN LONG(DATEFORMAT(starttime, 'HH')) < 6 THEN 1 ELSE 0 END)
    + CASE WHEN SUM(CASE WHEN eventid=4625 THEN 1.0 ELSE 0 END) / NULLIF(COUNT(*),0) > 0.5
            AND SUM(CASE WHEN eventid=4624 THEN 1 ELSE 0 END) > 0
           THEN 2 ELSE 0 END
  ) AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Windows Security%'
  AND eventid IN (4624, 4625)
  AND "LogonType" IN ('3', '10')
  AND sourceip IS NOT NULL
  AND sourceip NOT IN ('127.0.0.1', '0.0.0.0', '-', '')
  AND LOWER(username) NOT LIKE '%$'
  AND username NOT IN ('ANONYMOUS LOGON', 'LOCAL SERVICE', 'NETWORK SERVICE', '')
  AND LAST 24 HOURS
GROUP BY sourceip, username
HAVING COUNT(DISTINCT destinationip) > 1
  OR (
    MAX(CASE WHEN LOWER(username) LIKE '%admin%' OR LOWER(username) LIKE '%svc-%' THEN 1 ELSE 0 END) = 1
    AND MAX(CASE WHEN LONG(DATEFORMAT(starttime, 'HH')) < 6 THEN 1 ELSE 0 END) = 1
  )
ORDER BY unique_target_hosts DESC, suspicion_score DESC
high severity medium confidence

QRadar AQL query aggregating Windows Security logon events (4624 success, 4625 failure) with Logon Type 3 (Network/SMB) and Type 10 (RemoteInteractive/RDP) to surface credential-driven lateral movement. Groups by source IP and username, computing a composite suspicion score from unique target host count, privileged account naming patterns, after-hours access, and failed-to-success login ratio. Requires the Microsoft Windows Security DSM with the 'LogonType' custom property parsed from event payload; adjust the property name to match your QRadar DSM configuration if it differs.

Data Sources

Windows Security Event Log via QRadar WinCollect agent or Syslog forwarderMicrosoft Windows Security DSM for IBM QRadar

Required Tables

events

False Positives & Tuning

  • Enterprise service desk or remote desktop broker solutions (e.g., Citrix Delivery Controller, VMware Horizon Connection Server) authenticate to pools of VDI or RDSH hosts from a single IP, generating large multi-target type 10 logon bursts.
  • Active Directory domain controllers performing replication and Kerberos service operations produce numerous type 3 network logon events between infrastructure hosts, and DCs often carry names matching 'service' or 'admin' patterns.
  • Scheduled tasks or Windows services configured to run under named service accounts (matching svc-/admin patterns) that mount remote network shares or invoke WMI queries against multiple targets for legitimate business automation.
Download portable Sigma rule (.yml)

Other platforms for T1021

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1RDP Lateral Movement to localhost (logon type 10)

    Expected signal: Security Event ID 4624 on localhost with LogonType=10, TargetUserName=current user, IpAddress=127.0.0.1. Security Event ID 4648 (Explicit Credential Logon) for the cmdkey credential staging. Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational: EventID 1149 (User authentication succeeded) with client IP 127.0.0.1.

  2. Test 2SMB Network Logon to admin share (logon type 3)

    Expected signal: On TARGET_HOST — Security Event ID 4624 with LogonType=3, source IP = testing machine IP, TargetUserName=testuser. Security Event ID 4776 (NTLM credential validation) if NTLM is used. Optionally Security Event ID 5140 (network share accessed) and 5145 (share object access) if share auditing is enabled. Sysmon Event ID 3 on source machine showing outbound TCP to TARGET_HOST:445.

  3. Test 3WinRM remote command execution (lateral movement via PowerShell Remoting)

    Expected signal: On TARGET_HOST — Security Event ID 4624 LogonType=3 with source IP of testing machine. Microsoft-Windows-WinRM/Operational EventID 91 (Creating WSMan session) and EventID 169 (User authenticated successfully). PowerShell ScriptBlock Log Event ID 4104 on TARGET_HOST with the executed commands. Sysmon Event ID 3 on source machine: outbound TCP to TARGET_HOST:5985 (HTTP) or 5986 (HTTPS).

  4. Test 4SSH lateral movement (Linux — key-based authentication to remote host)

    Expected signal: On REMOTE_HOST — /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS): 'Accepted publickey for testuser from SOURCE_IP port PORT ssh2'. auditd (if enabled): SYSCALL records for sshd process with uid mapping. Syslog entries: sshd[PID]: session opened for user testuser by (uid=0). On source host: ~/.ssh/known_hosts updated if new host.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1021 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1078Valid AccountsT1550.002Pass the HashT1550.003Pass the TicketT1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.004SSHT1021.006Windows Remote ManagementT1110Brute ForceT1558Steal or Forge Kerberos TicketsT1563Remote Service Session Hijacking

Same Tactic: Lateral Movement

Popular Detections