Back to ATT&CK Hub
T1021

Remote Services

Lateral Movement
Featured

Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, SSH, or SMB.

View on MITRE ATT&CK

Real-World Example

After initial compromise, ransomware operators often use RDP to move laterally within networks, deploying ransomware to multiple systems.

Defense Strategies

  • Network segmentation
  • Just-in-time access
  • Privileged access workstations
  • Monitor lateral connections

Detection Methods

  • Track remote connection patterns
  • Monitor for unusual RDP/SSH activity
  • Detect admin tool usage
  • Baseline normal remote access

Related Techniques in Lateral Movement

T1550

Use Alternate Authentication Material

Ready to learn more techniques and test your knowledge?