T1021 Splunk · SPL

Detect Remote Services in Splunk

Adversaries may use Valid Accounts to log into services that accept remote connections, such as SSH, RDP, SMB, WinRM, VNC, and DCOM, to perform lateral movement. In enterprise environments where domains provide centralized identity management, compromised credentials allow adversaries to authenticate to many machines using remote access protocols. Adversaries may also abuse legitimate remote management tools such as Apple Remote Desktop (ARD) on macOS. Detection focuses on identifying anomalous authentication patterns, unusual source/destination pairs, off-hours access, atypical account usage, and service abuse sequences consistent with credential-driven lateral movement.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Canonical reference
https://attack.mitre.org/techniques/T1021/

SPL Detection Query

Splunk (SPL)
spl 
| union
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624
  (LogonType=3 OR LogonType=10)
  NOT (TargetUserName="ANONYMOUS LOGON" OR TargetUserName="LOCAL SERVICE" OR TargetUserName="NETWORK SERVICE")
  NOT (TargetUserName="*$")
  NOT (IpAddress="127.0.0.1" OR IpAddress="::1" OR IpAddress="-")
  | eval LogonTypeName=case(LogonType="3", "Network", LogonType="10", "RemoteInteractive", true(), "Other")
  | eval SourceHost=IpAddress
  | eval TargetUser=TargetUserName
  | eval TargetHost=ComputerName
]
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625
  (LogonType=3 OR LogonType=10)
  NOT (IpAddress="127.0.0.1" OR IpAddress="::1" OR IpAddress="-")
  | eval LogonTypeName="FAILED-" + case(LogonType="3", "Network", LogonType="10", "RemoteInteractive", true(), "Other")
  | eval SourceHost=IpAddress
  | eval TargetUser=TargetUserName
  | eval TargetHost=ComputerName
]
| eval HourOfDay=strftime(_time, "%H")
| eval IsAfterHours=if(HourOfDay < "06" OR HourOfDay > "22", 1, 0)
| eval IsPrivileged=if(match(lower(TargetUser), "(admin|administrator|svc-|service|backup)"), 1, 0)
| eval IsFailed=if(match(LogonTypeName, "^FAILED"), 1, 0)
| eval RiskScore=IsAfterHours + IsPrivileged + (IsFailed * 0)
| stats
    count as TotalLogons,
    sum(IsFailed) as FailedLogons,
    sum(eval(if(IsFailed=0,1,0))) as SuccessLogons,
    dc(TargetHost) as UniqueTargetHosts,
    values(TargetHost) as TargetHosts,
    values(LogonTypeName) as LogonTypes,
    max(RiskScore) as MaxRiskScore,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
  by SourceHost, TargetUser
| eval FailRatio=round(FailedLogons / TotalLogons, 2)
| eval SuspicionScore=MaxRiskScore + (if(UniqueTargetHosts > 3, 2, if(UniqueTargetHosts > 1, 1, 0))) + (if(FailRatio > 0.5 AND SuccessLogons > 0, 2, 0))
| where SuspicionScore >= 2 OR UniqueTargetHosts > 3
| table FirstSeen, LastSeen, SourceHost, TargetUser, UniqueTargetHosts, TargetHosts, TotalLogons, FailedLogons, SuccessLogons, FailRatio, LogonTypes, SuspicionScore
| sort - SuspicionScore
high severity medium confidence

Detects lateral movement via Remote Services using Windows Security Event Log logon events (4624 success, 4625 failure) for logon types 3 (Network/SMB) and 10 (RemoteInteractive/RDP). Computes a suspicion score per source-account pair based on: after-hours access, privileged account use, spread across multiple target hosts, and success-after-failure patterns (indicating brute force or pass-the-hash). Filters machine accounts and known anonymous logon identities to reduce noise.

Data Sources

Logon Session: Logon Session CreationWindows Security Event LogAuthentication: Authentication

Required Sourcetypes

WinEventLog:Security

False Positives & Tuning

  • IT administrators performing routine remote management across multiple servers
  • Service accounts for backup, monitoring, or deployment tools that authenticate to many hosts
  • Jump server / bastion host accounts showing high-volume remote logons from a single source IP
  • Scheduled tasks or automation scripts that initiate network logons to multiple destinations
  • Security scanners (Nessus, Tenable, Qualys) that authenticate to hosts for credentialed scanning
Download portable Sigma rule (.yml)

Other platforms for T1021

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1RDP Lateral Movement to localhost (logon type 10)

    Expected signal: Security Event ID 4624 on localhost with LogonType=10, TargetUserName=current user, IpAddress=127.0.0.1. Security Event ID 4648 (Explicit Credential Logon) for the cmdkey credential staging. Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational: EventID 1149 (User authentication succeeded) with client IP 127.0.0.1.

  2. Test 2SMB Network Logon to admin share (logon type 3)

    Expected signal: On TARGET_HOST — Security Event ID 4624 with LogonType=3, source IP = testing machine IP, TargetUserName=testuser. Security Event ID 4776 (NTLM credential validation) if NTLM is used. Optionally Security Event ID 5140 (network share accessed) and 5145 (share object access) if share auditing is enabled. Sysmon Event ID 3 on source machine showing outbound TCP to TARGET_HOST:445.

  3. Test 3WinRM remote command execution (lateral movement via PowerShell Remoting)

    Expected signal: On TARGET_HOST — Security Event ID 4624 LogonType=3 with source IP of testing machine. Microsoft-Windows-WinRM/Operational EventID 91 (Creating WSMan session) and EventID 169 (User authenticated successfully). PowerShell ScriptBlock Log Event ID 4104 on TARGET_HOST with the executed commands. Sysmon Event ID 3 on source machine: outbound TCP to TARGET_HOST:5985 (HTTP) or 5986 (HTTPS).

  4. Test 4SSH lateral movement (Linux — key-based authentication to remote host)

    Expected signal: On REMOTE_HOST — /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS): 'Accepted publickey for testuser from SOURCE_IP port PORT ssh2'. auditd (if enabled): SYSCALL records for sshd process with uid mapping. Syslog entries: sshd[PID]: session opened for user testuser by (uid=0). On source host: ~/.ssh/known_hosts updated if new host.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1021 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1078Valid AccountsT1550.002Pass the HashT1550.003Pass the TicketT1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.004SSHT1021.006Windows Remote ManagementT1110Brute ForceT1558Steal or Forge Kerberos TicketsT1563Remote Service Session Hijacking

Same Tactic: Lateral Movement

Popular Detections