title: Remote Services (T1021)
id: df00tech-t1021
status: experimental
description: "Adversaries may use Valid Accounts to log into services that accept remote connections, such as SSH, RDP, SMB, WinRM, VNC, and DCOM, to perform lateral movement. In enterprise environments where domains provide centralized identity management, compromised credentials allow adversaries to authenticate to many machines using remote access protocols. Adversaries may also abuse legitimate remote management tools such as Apple Remote Desktop (ARD) on macOS. Detection focuses on identifying anomalous authentication patterns, unusual source/destination pairs, off-hours access, atypical account usage, and service abuse sequences consistent with credential-driven lateral movement."
references:
  - https://attack.mitre.org/techniques/T1021/
  - https://df00tech.com/detections/T1021
author: df00tech
date: 2026/04/13
tags:
  - attack.t1021
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators performing routine remote management across multiple servers using RDP or WinRM during business hours
  - "Service accounts with legitimate need to authenticate to multiple systems (backup agents, monitoring solutions, SCCM/Intune management)"
  - Help desk staff using Remote Desktop to provide support to end users — generates high-volume type 10 logons from a single source
  - Jump server / bastion host authentication patterns where a single source IP authenticates to many destination hosts as a normal workflow
  - "Vulnerability scanners and infrastructure automation tools (Ansible, Puppet, Chef) that authenticate network-wide via type 3 logons"
level: high