Skip to content

T1021 Remote Services

Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).86 They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain.

Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer.231 Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.543

Item Value
ID T1021
Sub-techniques T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006, T1021.007
Tactics TA0008
Platforms Linux, Windows, macOS
Version 1.3
Created 31 May 2017
Last Modified 30 March 2023

Procedure Examples

ID Name Description
S1063 Brute Ratel C4 Brute Ratel C4 has the ability to use RPC for lateral movement.9
S0437 Kivars Kivars has the ability to remotely trigger keyboard input and mouse clicks. 10
S1016 MacMa MacMa can manage remote screen sessions.11
S0603 Stuxnet Stuxnet can propagate via peer-to-peer communication and updates using RPC.12


ID Mitigation Description
M1032 Multi-factor Authentication Use multi-factor authentication on remote service logons where possible.
M1018 User Account Management Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.


ID Data Source Data Component
DS0017 Command Command Execution
DS0028 Logon Session Logon Session Creation
DS0011 Module Module Load
DS0033 Network Share Network Share Access
DS0029 Network Traffic Network Connection Creation
DS0009 Process Process Creation