Esc
Remote Services - T1021
(ATT&CK® Technique)
Definition
Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1021["Remote Services"] --> |produces| AdministrativeNetworkTraffic["Administrative Network Traffic"]; class T1021 OffensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode; click AdministrativeNetworkTraffic href "../../../dao/artifact/d3f:AdministrativeNetworkTraffic";
click T1021 href "../../../offensive-technique/attack/T1021/"; click AdministrativeNetworkTraffic href "../../../dao/artifact/d3f:AdministrativeNetworkTraffic"; T1021["Remote Services"] --> |produces| IntranetNetworkTraffic["Intranet Network Traffic"]; class T1021 OffensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode; click IntranetNetworkTraffic href "../../../dao/artifact/d3f:IntranetNetworkTraffic";
click T1021 href "../../../offensive-technique/attack/T1021/"; click IntranetNetworkTraffic href "../../../dao/artifact/d3f:IntranetNetworkTraffic"; T1021["Remote Services"] --> |creates| RDPSession["RDP Session"]; class T1021 OffensiveTechniqueNode;
class RDPSession ArtifactNode; click RDPSession href "../../../dao/artifact/d3f:RDPSession";
click T1021 href "../../../offensive-technique/attack/T1021/"; click RDPSession href "../../../dao/artifact/d3f:RDPSession"; T1021["Remote Services"] --> |creates| SSHSession["SSH Session"]; class T1021 OffensiveTechniqueNode;
class SSHSession ArtifactNode; click SSHSession href "../../../dao/artifact/d3f:SSHSession";
click T1021 href "../../../offensive-technique/attack/T1021/"; click SSHSession href "../../../dao/artifact/d3f:SSHSession"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1021["Remote Services"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "../../../technique/d3f:Client-serverPayloadProfiling"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1021["Remote Services"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "../../../technique/d3f:ProtocolMetadataAnomalyDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "../../../technique/d3f:ProtocolMetadataAnomalyDetection"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "../../../technique/d3f:Client-serverPayloadProfiling"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1021["Remote Services"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "../../../technique/d3f:PerHostDownload-UploadRatioAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1021["Remote Services"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "../../../technique/d3f:UserGeolocationLogonPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "../../../technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1021["Remote Services"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "../../../technique/d3f:NetworkTrafficSignatureAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "../../../technique/d3f:NetworkTrafficSignatureAnalysis"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
| may-detect | T1021["Remote Services"] ;
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "../../../technique/d3f:ConnectionAttemptAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1021["Remote Services"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "../../../technique/d3f:NetworkTrafficCommunityDeviation"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "../../../technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "../../../technique/d3f:PerHostDownload-UploadRatioAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1021["Remote Services"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "../../../technique/d3f:RemoteTerminalSessionDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | AdministrativeNetworkTraffic["Administrative Network Traffic"];
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "../../../technique/d3f:RemoteTerminalSessionDetection"; SessionTermination["Session Termination"] -->
| deletes | SSHSession["SSH Session"];
SessionTermination["Session Termination"] -.->
| may-evict | T1021["Remote Services"] ;
class SessionTermination DefensiveTechniqueNode;
class SSHSession ArtifactNode;
click SessionTermination href "../../../technique/d3f:SessionTermination"; SessionTermination["Session Termination"] -->
| deletes | RDPSession["RDP Session"];
class SessionTermination DefensiveTechniqueNode;
class RDPSession ArtifactNode;
click SessionTermination href "../../../technique/d3f:SessionTermination"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | AdministrativeNetworkTraffic["Administrative Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1021["Remote Services"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class AdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "../../../technique/d3f:NetworkTrafficFiltering"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetNetworkTraffic["Intranet Network Traffic"];
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "../../../technique/d3f:NetworkTrafficFiltering";