Esc
Remote Services - T1021

(ATT&CK® Technique)
Subtechniques

Definition

Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1021["Remote Services"] --> |produces| AdministrativeNetworkTraffic["Administrative Network Traffic"]; class T1021 OffensiveTechniqueNode;
        class AdministrativeNetworkTraffic ArtifactNode; click AdministrativeNetworkTraffic href "/dao/artifact/d3f:AdministrativeNetworkTraffic";
        click T1021 href "/offensive-technique/attack/T1021/"; click AdministrativeNetworkTraffic href "/dao/artifact/d3f:AdministrativeNetworkTraffic"; T1021["Remote Services"] --> |produces| IntranetNetworkTraffic["Intranet Network Traffic"]; class T1021 OffensiveTechniqueNode;
        class IntranetNetworkTraffic ArtifactNode; click IntranetNetworkTraffic href "/dao/artifact/d3f:IntranetNetworkTraffic";
        click T1021 href "/offensive-technique/attack/T1021/"; click IntranetNetworkTraffic href "/dao/artifact/d3f:IntranetNetworkTraffic"; T1021["Remote Services"] --> |creates| RDPSession["RDP Session"]; class T1021 OffensiveTechniqueNode;
        class RDPSession ArtifactNode; click RDPSession href "/dao/artifact/d3f:RDPSession";
        click T1021 href "/offensive-technique/attack/T1021/"; click RDPSession href "/dao/artifact/d3f:RDPSession"; T1021["Remote Services"] --> |creates| SSHSession["SSH Session"]; class T1021 OffensiveTechniqueNode;
        class SSHSession ArtifactNode; click SSHSession href "/dao/artifact/d3f:SSHSession";
        click T1021 href "/offensive-technique/attack/T1021/"; click SSHSession href "/dao/artifact/d3f:SSHSession";                                                    UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | May Detect | T1021["Remote Services"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];

          
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class AdministrativeNetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | May Detect | T1021["Remote Services"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class AdministrativeNetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling";                                           ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | May Detect | T1021["Remote Services"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
            | May Detect | T1021["Remote Services"] ;
          class ConnectionAttemptAnalysis DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis";   NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | May Detect | T1021["Remote Services"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class AdministrativeNetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";        ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];

          
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class AdministrativeNetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";                                 PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | May Detect | T1021["Remote Services"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis";                 PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];

          
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class AdministrativeNetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis";                      NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";  NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | May Detect | T1021["Remote Services"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class AdministrativeNetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis";      RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | May Detect | T1021["Remote Services"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection";                              RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];

          
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class AdministrativeNetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection";  SessionTermination["Session Termination"] -->
          | deletes | SSHSession["SSH Session"];

          SessionTermination["Session Termination"] -.->
            | May Evict | T1021["Remote Services"] ;
          class SessionTermination DefensiveTechniqueNode;
          class SSHSession ArtifactNode;
          click SessionTermination href "/technique/d3f:SessionTermination"; SessionTermination["Session Termination"] -->
          | deletes | RDPSession["RDP Session"];

          
          class SessionTermination DefensiveTechniqueNode;
          class RDPSession ArtifactNode;
          click SessionTermination href "/technique/d3f:SessionTermination";                                         NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis";                          NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | AdministrativeNetworkTraffic["Administrative Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | May Isolate | T1021["Remote Services"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class AdministrativeNetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | IntranetNetworkTraffic["Intranet Network Traffic"];

          
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";
json