Skip to content

T1021 Remote Services

Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).12

Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer.345 Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.674

Item Value
ID T1021
Sub-techniques T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006
Tactics TA0008
Platforms Linux, Windows, macOS
Version 1.2
Created 31 May 2017
Last Modified 28 March 2022

Procedure Examples

ID Name Description
S0437 Kivars Kivars has the ability to remotely trigger keyboard input and mouse clicks. 9
S0603 Stuxnet Stuxnet can propagate via peer-to-peer communication and updates using RPC.10


ID Mitigation Description
M1032 Multi-factor Authentication Use multi-factor authentication on remote service logons where possible.
M1018 User Account Management Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.


ID Data Source Data Component
DS0017 Command Command Execution
DS0028 Logon Session Logon Session Creation
DS0011 Module Module Load
DS0033 Network Share Network Share Access
DS0029 Network Traffic Network Connection Creation
DS0009 Process Process Creation


Back to top