T1021 Microsoft Sentinel · KQL

Detect Remote Services in Microsoft Sentinel

Adversaries may use Valid Accounts to log into services that accept remote connections, such as SSH, RDP, SMB, WinRM, VNC, and DCOM, to perform lateral movement. In enterprise environments where domains provide centralized identity management, compromised credentials allow adversaries to authenticate to many machines using remote access protocols. Adversaries may also abuse legitimate remote management tools such as Apple Remote Desktop (ARD) on macOS. Detection focuses on identifying anomalous authentication patterns, unusual source/destination pairs, off-hours access, atypical account usage, and service abuse sequences consistent with credential-driven lateral movement.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Canonical reference
https://attack.mitre.org/techniques/T1021/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1021 Remote Services — Lateral Movement via Remote Authentication
// Covers: RDP (logon type 10), Network logons (type 3), and anomalous remote auth patterns
let LookbackWindow = 24h;
let PrivilegedAccounts = dynamic(["administrator", "admin", "svc-", "service", "backup"]);
let SuspiciousHours = range(0, 5);  // midnight to 5am
// Branch 1: Remote Interactive / RDP logons (Logon Type 10) from unusual sources
let RemoteInteractiveLogons = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4624
| where LogonType == 10  // RemoteInteractive (RDP)
| extend SourceHost = IpAddress
| where isnotempty(SourceHost) and SourceHost !in ("127.0.0.1", "::1", "-")
| extend IsAfterHours = hourofday(TimeGenerated) in (SuspiciousHours)
| extend IsPrivilegedAccount = TargetUserName has_any (PrivilegedAccounts)
| project TimeGenerated, Computer, TargetUserName, TargetDomainName, SourceHost,
         LogonType, LogonTypeName="RemoteInteractive", IsAfterHours, IsPrivilegedAccount,
         ProcessName, AuthenticationPackageName;
// Branch 2: Network logons (Logon Type 3) — SMB, WinRM, lateral movement
let NetworkLogons = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4624
| where LogonType == 3  // Network
| extend SourceHost = IpAddress
| where isnotempty(SourceHost) and SourceHost !in ("127.0.0.1", "::1", "-")
| where TargetUserName !endswith "$"  // exclude machine accounts
| where TargetUserName !in~ ("ANONYMOUS LOGON", "LOCAL SERVICE", "NETWORK SERVICE")
| extend IsAfterHours = hourofday(TimeGenerated) in (SuspiciousHours)
| extend IsPrivilegedAccount = TargetUserName has_any (PrivilegedAccounts)
| project TimeGenerated, Computer, TargetUserName, TargetDomainName, SourceHost,
         LogonType, LogonTypeName="Network", IsAfterHours, IsPrivilegedAccount,
         ProcessName, AuthenticationPackageName;
// Branch 3: MDE DeviceLogonEvents — enriched remote logon telemetry
let MdeRemoteLogons = DeviceLogonEvents
| where Timestamp > ago(LookbackWindow)
| where LogonType in ("RemoteInteractive", "Network", "NetworkCleartext")
| where isnotempty(RemoteIP) and RemoteIP !in ("127.0.0.1", "::1")
| where ActionType == "LogonSuccess"
| extend IsAfterHours = hourofday(Timestamp) in (SuspiciousHours)
| extend IsPrivilegedAccount = AccountName has_any (PrivilegedAccounts)
| project TimeGenerated=Timestamp, Computer=DeviceName, TargetUserName=AccountName,
         TargetDomainName=AccountDomain, SourceHost=RemoteIP, LogonType,
         LogonTypeName=LogonType, IsAfterHours, IsPrivilegedAccount,
         ProcessName=InitiatingProcessFileName, AuthenticationPackageName="MDE";
// Combine and flag high-interest events
union RemoteInteractiveLogons, NetworkLogons, MdeRemoteLogons
| extend RiskScore = case(
    IsAfterHours and IsPrivilegedAccount, 3,
    IsAfterHours or IsPrivilegedAccount, 2,
    true, 1)
| where RiskScore >= 1
| summarize LogonCount=count(),
            TargetHosts=make_set(Computer),
            TargetHostCount=dcount(Computer),
            FirstSeen=min(TimeGenerated),
            LastSeen=max(TimeGenerated),
            LogonTypes=make_set(LogonTypeName),
            MaxRiskScore=max(RiskScore)
  by TargetUserName, TargetDomainName, SourceHost
| where TargetHostCount > 1 or MaxRiskScore >= 2  // Lateral spread or high-risk single hop
| sort by MaxRiskScore desc, TargetHostCount desc
high severity medium confidence

Detects anomalous remote authentication activity consistent with lateral movement via Remote Services (T1021). Combines Security Event ID 4624 (logon type 3/network and type 10/remote interactive) with MDE DeviceLogonEvents for enriched coverage. Scores events by risk factors including after-hours access and privileged account use, then aggregates by source account and host to surface multi-host lateral movement patterns. A single high-risk logon (privileged account, after hours) surfaces alongside multi-host spread.

Data Sources

Logon Session: Logon Session CreationNetwork Traffic: Network Connection CreationWindows Security Event LogMicrosoft Defender for Endpoint

Required Tables

SecurityEventDeviceLogonEvents

False Positives & Tuning

  • IT administrators performing routine remote management across multiple servers using RDP or WinRM during business hours
  • Service accounts with legitimate need to authenticate to multiple systems (backup agents, monitoring solutions, SCCM/Intune management)
  • Help desk staff using Remote Desktop to provide support to end users — generates high-volume type 10 logons from a single source
  • Jump server / bastion host authentication patterns where a single source IP authenticates to many destination hosts as a normal workflow
  • Vulnerability scanners and infrastructure automation tools (Ansible, Puppet, Chef) that authenticate network-wide via type 3 logons
Download portable Sigma rule (.yml)

Other platforms for T1021

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1RDP Lateral Movement to localhost (logon type 10)

    Expected signal: Security Event ID 4624 on localhost with LogonType=10, TargetUserName=current user, IpAddress=127.0.0.1. Security Event ID 4648 (Explicit Credential Logon) for the cmdkey credential staging. Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational: EventID 1149 (User authentication succeeded) with client IP 127.0.0.1.

  2. Test 2SMB Network Logon to admin share (logon type 3)

    Expected signal: On TARGET_HOST — Security Event ID 4624 with LogonType=3, source IP = testing machine IP, TargetUserName=testuser. Security Event ID 4776 (NTLM credential validation) if NTLM is used. Optionally Security Event ID 5140 (network share accessed) and 5145 (share object access) if share auditing is enabled. Sysmon Event ID 3 on source machine showing outbound TCP to TARGET_HOST:445.

  3. Test 3WinRM remote command execution (lateral movement via PowerShell Remoting)

    Expected signal: On TARGET_HOST — Security Event ID 4624 LogonType=3 with source IP of testing machine. Microsoft-Windows-WinRM/Operational EventID 91 (Creating WSMan session) and EventID 169 (User authenticated successfully). PowerShell ScriptBlock Log Event ID 4104 on TARGET_HOST with the executed commands. Sysmon Event ID 3 on source machine: outbound TCP to TARGET_HOST:5985 (HTTP) or 5986 (HTTPS).

  4. Test 4SSH lateral movement (Linux — key-based authentication to remote host)

    Expected signal: On REMOTE_HOST — /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS): 'Accepted publickey for testuser from SOURCE_IP port PORT ssh2'. auditd (if enabled): SYSCALL records for sshd process with uid mapping. Syslog entries: sshd[PID]: session opened for user testuser by (uid=0). On source host: ~/.ssh/known_hosts updated if new host.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1021 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1078Valid AccountsT1550.002Pass the HashT1550.003Pass the TicketT1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.004SSHT1021.006Windows Remote ManagementT1110Brute ForceT1558Steal or Forge Kerberos TicketsT1563Remote Service Session Hijacking

Same Tactic: Lateral Movement

Popular Detections