Remote Services (T1021) is a MITRE ATT&CK technique in the Lateral Movement tactic. SOC analysts detect it by monitoring for SIEM, Firewall events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may use valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. Remote services are commonly used for lateral movement in enterprise environments because they are difficult to distinguish from legitimate administrative activity when using valid credentials. Common lateral movement techniques include using stolen credentials with Remote Desktop Protocol (RDP), SSH, Windows Remote Management (WinRM), Distributed Component Object Model (DCOM), and SMB/Windows Admin Shares. After compromising an initial host and acquiring credentials through credential dumping or other means, attackers systematically move through the network using these services to access additional systems, escalate privileges, and ultimately reach their target data or assets.
“Remote Services is documented as technique T1021 in the MITRE ATT&CK knowledge base under the Lateral Movement tactic. Detection requires visibility into SIEM, Firewall telemetry.”
The following detection strategies help SOC analysts identify Remote Services activity. These methods apply across SIEM, Firewall environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor RDP authentication events for logons from unusual source hosts, particularly from workstations connecting to servers or from hosts that have not previously used RDP to access specific destinations.
Alert on WinRM and PowerShell remoting sessions initiated outside of normal administrative workflows, particularly those executing unusual command sequences or spawning additional processes on remote systems.
Detect SMB lateral movement by monitoring for authentication to Admin shares (C$, IPC$, ADMIN$) combined with subsequent file creation or process execution on the target systems.
Implement UEBA rules that baseline normal remote service usage patterns per user and alert on deviations including new destination systems, unusual connection times, and unusually high numbers of remote sessions.
Monitor for pass-the-hash and pass-the-ticket artifacts in authentication logs, including NTLM authentication events for accounts where only Kerberos is expected or vice versa.
These realistic alert examples show what Remote Services looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
Authentication correlation detected systematic RDP lateral movement: account DA_svc_backup used RDP to connect sequentially to 8 systems over 35 minutes. Pattern started from initial compromised host, moved to file servers, then domain controller. Each hop occurred within 3-5 minutes of arrival on the previous system, consistent with automated lateral movement tooling.
WinRM session established from HR workstation WS-HR-007 to multiple servers using domain admin account credentials. Remote execution via Invoke-Command spawned PowerShell processes on 6 target servers, each executing the same credential harvesting script. The workstation operator is an HR employee with no legitimate need to remotely execute commands on server infrastructure.
NTLM authentication to C$ admin share on 12 servers from a single source workstation within 8 minutes using account local_admin. The authentication method is NTLM-v2 without an interactive logon preceding it, and no Kerberos ticket exchange occurred. This pattern indicates Pass-the-Hash lateral movement using a captured NTLM hash rather than a cleartext password.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Remote Services. Build detection skills with zero consequences — free forever.
Lateral movement is the attack phase where adversaries expand access from an initial foothold to additional systems, usi…
Read more GlossaryExtended Detection and Response (XDR) is a security platform that unifies telemetry from endpoints, networks, cloud work…
Read more GlossaryNetwork Detection and Response (NDR) is a security platform that passively monitors network traffic using machine learni…
Read more GlossaryEndpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p…
Read more Career PathIncident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…
Read more Career PathDFIR Analysts combine forensic investigation with incident response. You collect and analyze digital evidence from compr…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolThe Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more PlaybookWhen alerts indicate unusual internal connections, RDP to servers from workstations, PsExec executions, or SMB access to…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read moreWe use cookies to improve your experience and measure usage. Learn more