Remote Services T1021
Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
Events covered
59 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 242 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (123 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (1150 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (322 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 100 rules
- Access To ADMIN$ Network Share
- Active Directory honeypot used for lateral movement
- BaaUpdate.exe Suspicious DLL Load
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Copy From Or To Admin Share Or Sysvol Folder
- DCERPC SMB Spoolss Named Pipe
- DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
- DCOM lateral movement (via MMC20)
- Denied Access To Remote Desktop
- Denied RDP login with valid credentials
- Enable Windows Remote Management
- Execute Invoke-command on Remote Host
- First Time Seen Remote Named Pipe
- HackTool - NetExec Execution
- HackTool - NetExec File Indicators
- HackTool - Potential Impacket Lateral Movement Activity
- HackTool - SharpMove Tool Execution
- HackTool - WinRM Access Via Evil-WinRM
- Hermetic Wiper TG Process Patterns
- Impacket DCOMexec privilege abuse via MMC
- Impacket DCOMexec process abuse via MMC
- Impacket PsExec Execution
- Impacket WMIexec execution via SMB admin share
- Lateral movement by mounting a network share - net use (command)
- Lateral movement detection (based on "special groups" feature)
- Metasploit Or Impacket Service Installation Via SMB PsExec
- Metasploit SMB Authentication
- MMC Spawning Windows Shell
- MMC20 Lateral Movement
- Net.EXE Execution
- Network share manipulation via commandline
- New network file share created
- New Remote Desktop Connection Initiated Via Mstsc.EXE
- Number of oustanding SMB requests increased
- OpenEDR Spawning Command Shell
- OpenSSH native server feature installation
- OpenSSH Server Listening On Socket
- OpenSSH server listening on socket
- OpenSSH service activation on Windows
- Outbound RDP Connections Over Non-Standard Tools
- Password Provided In Command Line Of Net.EXE
- Port Forwarding Activity Via SSH.EXE
- Potential CobaltStrike Service Installations - Registry
- Potential DCOM InternetExplorer.Application DLL Hijack
- Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
- Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
- Potential Lateral Movement via Windows Remote Shell
- Potential Remote Desktop Tunneling
- Potential Remote PowerShell Session Initiated
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- Privilege Escalation via Named Pipe Impersonation
- Protected Storage Service Access
- Psexec Execution
- PSexec execution over SMB share
- PUA - CSExec Default Named Pipe
- PUA - RemCom Default Named Pipe
- RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
- RDP Login from Localhost
- RDP Over Reverse SSH Tunnel
- RDP over Reverse SSH Tunnel WFP
- RDP shadow session configuration enabled (registry)
- RDP shadow session started (command)
- RDP to HTTP or HTTPS Target Ports
- RDP tunneling configuration enabled for port forwarding
- RDP tunneling via ngrok detected
- Remote LSASS Process Access Through Windows Remote Management
- Remote PowerShell Session (PS Classic)
- Remote PowerShell Session (PS Module)
- Remote PowerShell Session Host Process (WinRM)
- Remote Service Activity via SVCCTL Named Pipe
- Remote shell execution via SMB admin share
- Rundll32 Execution Without Parameters
- Rundll32 UNC Path Execution
- Shared printer creation (PrintNightmare vulnerability - CVE-2021-36958)
- SMB admin share accessed
- SMB Create Remote File Admin Share
- smbexec.py Service Installation
- Suspicious BitLocker Access Agent Update Utility Execution
- Suspicious New-PSDrive to Admin Share
- Suspicious permissions modification on a network share
- Suspicious Plink Port Forwarding
- Suspicious PsExec Execution
- Suspicious RDP Redirect Using TSCON
- Suspicious Speech Runtime Binary Child Process
- Suspicious UltraVNC Execution
- Suspicious WSMAN Provider Image Loads
- T1047 Wmiprvse Wbemcomn DLL Hijack
- Turla Group Lateral Movement
- Unsigned or Unencrypted SMB Connection to Share Established
- User Added to Remote Desktop Users Group
- Windows Admin Share Mount Via Net.EXE
- Windows Internet Hosted WebDav Share Mount Via Net.EXE
- Windows Share Mount Via Net.EXE
- WinRM listening service reconnaissance (process)
- WinRM listening service reconnaissance (WS-Management)
- Winrs Local Command Execution
- WinRS usage for remote execution
- Wmiprvse Wbemcomn DLL Hijack
- Wmiprvse Wbemcomn DLL Hijack - File
Elastic 41 rules
- At.exe Command Lateral Movement
- Execution via TSClient Mountpoint
- Incoming DCOM Lateral Movement via MSHTA
- Incoming DCOM Lateral Movement with MMC
- Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
- Incoming Execution via PowerShell Remoting
- Incoming Execution via WinRM Remote Shell
- Lateral Movement via Startup Folder
- Mounting Hidden or WebDav Remote Shares
- Network-Level Authentication (NLA) Disabled
- NullSessionPipe Registry Modification
- Outbound Scheduled Task Activity via PowerShell
- Potential Lateral Tool Transfer via SMB Share
- Potential Machine Account Relay Attack via SMB
- Potential Network Share Discovery
- Potential Outgoing RDP Connection by Unusual Process
- Potential Ransomware Behavior - Note Files by System
- Potential Ransomware Note File Dropped via SMB
- Potential Remote Credential Access via Registry
- Potential Remote Desktop Shadowing Activity
- Potential Remote Desktop Tunneling Detected
- Potential SharpRDP Behavior
- PsExec Network Connection
- RDP Enabled via Registry
- Remote Desktop Enabled in Windows Firewall by Netsh
- Remote Execution via File Shares
- Remote File Copy to a Hidden Share
- Remote Scheduled Task Creation
- Remote Scheduled Task Creation via RPC
- Remote Windows Service Installed
- Remotely Started Services via RPC
- Service Command Lateral Movement
- SMB Connections via LOLBin or Untrusted Process
- Suspicious Cmd Execution via WMI
- Suspicious Execution from a WebDav Share
- Suspicious File Renamed via SMB
- Suspicious Process Execution via Renamed PsExec Executable
- Suspicious Remote Registry Access via SeBackupPrivilege
- Windows Registry File Creation in SMB Share
- WMI Incoming Lateral Movement
- WMIC Remote Command
Splunk 84 rules
- Allow Inbound Traffic By Firewall Rule Registry
- Allow Inbound Traffic In Firewall Rule
- Detect PsExec With accepteula Flag
- Enable RDP In Other Port Number
- Executable File Written in Administrative SMB Share
- Impacket Lateral Movement Activity (Sysmon)
- Impacket Lateral Movement Activity (Windows Event Log)
- Impacket Lateral Movement Commandline Parameters
- Impacket Lateral Movement smbexec CommandLine Parameters
- Impacket Lateral Movement WMIExec Commandline Parameters
- Impacket PSexec (Windows Event Log)
- Impacket SMBexec (Windows Event Log)
- Interactive Session on Remote Endpoint with PowerShell
- Invoke-DCOM.ps1 - PowerShell (PowerShell)
- Invoke-DCOM.ps1 - PowerShell (Sysmon)
- Invoke-DCOM.ps1 - PowerShell (Windows Event Log)
- Mmc LOLBAS Execution Process Spawn
- MSTSC Execution (EDR)
- MSTSC Execution (Windows Event Log)
- Net.exe Use with URL (Sysmon)
- Net.exe Use with URL (Windows Event Log)
- Possible Lateral Movement PowerShell Spawn
- Potential EternalBlue via Metasploit (Windows Event Log)
- Powershell Remote Services Add TrustedHost
- RDP Connection (Sysmon)
- RDP Connection (Windows Event Log)
- RDP Enabled (PowerShell)
- RDP Enabled (Sysmon)
- RDP Enabled (Windows Event Log)
- RDP File Executed from Outlook Temp Directory (Sysmon)
- RDP File Executed from Outlook Temp Directory (Windows Event Log)
- RDP File Written by Outlook (Sysmon)
- RDP File Written by Outlook (Windows Event Log)
- RDP Logon_Logoff Event (Windows Event Log)
- Remote Admin Tools (EDR)
- Remote Admin Tools (PowerShell)
- Remote Admin Tools (Sysmon)
- Remote Admin Tools (Windows Event Log)
- Remote Desktop Process Running On System
- Remote Process Instantiation via DCOM and PowerShell
- Remote Process Instantiation via DCOM and PowerShell Script Block
- Remote Process Instantiation via WinRM and PowerShell
- Remote Process Instantiation via WinRM and PowerShell Script Block
- Remote Process Instantiation via WinRM and Winrs
- SMB Write Access on Administrative Share (Windows Event Log)
- Windows Admin$ Share Access (Sysmon)
- Windows Admin$ Share Access (Windows Event Log)
- Windows Azure PowerShell Module Installation Via PowerShell Script
- Windows C$ Share Access (EDR)
- Windows C$ Share Access (Sysmon)
- Windows C$ Share Access (Windows Event Log)
- Windows Default RDP File Creation By Non MSTSC Process
- Windows Default Rdp File Unhidden
- Windows Excel Spawning Microsoft Project Application
- Windows IPC$ Share Access (Sysmon)
- Windows IPC$ Share Access (Windows Event Log)
- Windows MSTSC RDP Commandline
- Windows Process Execution From RDP Share
- Windows Protocol Tunneling with Plink
- Windows PUA Named Pipe
- Windows PuTTY Suite Utility Execution
- Windows RDP Bitmap Cache File Creation
- Windows RDP Client Launched with Admin Session
- Windows RDP File Execution
- Windows RDP Login Session Was Established
- Windows RDP Server Registry Entry Created
- Windows Remote Host Computer Management Access
- Windows Remote Management Execute Shell
- Windows Remote Service Rdpwinst Tool Execution
- Windows Remote Services Allow Rdp In Firewall
- Windows Remote Services Allow Remote Assistance
- Windows Remote Services Rdp Enable
- Windows RMM Named Pipe
- Windows Share Multiple File Access (Windows Event Log)
- Windows Special Privileged Logon On Multiple Hosts
- Windows SpeechRuntime COM Hijacking DLL Load
- Windows SpeechRuntime Suspicious Child Process
- Windows Suspicious C2 Named Pipe
- Windows Suspicious Named Pipe
- Windows Theme File Creation in Unusual Location
- WinRM Tools (PowerShell)
- WinRM Tools (Sysmon)
- WinRM Tools (Windows Event Log)
- Wsmprovhost LOLBAS Execution Process Spawn
Kusto 11 rules
- Anomaly in SMB Traffic(ASIM Network Session schema)
- DCOM Lateral Movement
- Detecting Macro Invoking ShellBrowserWindow COM Objects
- Lateral Movement via DCOM
- Multiple RDP connections from Single System
- Powershell Empire Cmdlets Executed in Command Line
- Rare RDP Connections
- RDP Nesting
- Remote Desktop Protocol - SharpRDP
- SMB/Windows Admin Shares
- WinRM Plugin Lateral Movement
YARA-L 6 rules
- Copy From Or To Admin Share Or Sysvol Folder
- MITRE ATT&CK T1021.002 Windows Admin Share Basic
- MITRE ATT&CK T1021.002 Windows Admin Share With Asset Entity
- MITRE ATT&CK T1021.002 Windows Admin Share With User Enrichment
- MITRE ATT&CK T1021.002 Windows Admin Share With User Entity
- Potential Remote PowerShell Session Initiated