T1021 Remote Services Mappings

Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1021 Remote Services
AC-2 Account Management Protects T1021 Remote Services
AC-20 Use of External Systems Protects T1021 Remote Services
AC-3 Access Enforcement Protects T1021 Remote Services
AC-5 Separation of Duties Protects T1021 Remote Services
AC-6 Least Privilege Protects T1021 Remote Services
AC-7 Unsuccessful Logon Attempts Protects T1021 Remote Services
CM-5 Access Restrictions for Change Protects T1021 Remote Services
CM-6 Configuration Settings Protects T1021 Remote Services
IA-2 Identification and Authentication (organizational Users) Protects T1021 Remote Services
IA-5 Authenticator Management Protects T1021 Remote Services
SI-4 System Monitoring Protects T1021 Remote Services
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration technique_scores T1021 Remote Services
network_security_groups Network Security Groups technique_scores T1021 Remote Services
azure_sentinel Azure Sentinel technique_scores T1021 Remote Services
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1021 Remote Services
azure_policy Azure Policy technique_scores T1021 Remote Services
azure_network_traffic_analytics Azure Network Traffic Analytics technique_scores T1021 Remote Services
docker_host_hardening Docker Host Hardening technique_scores T1021 Remote Services

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1021.003 Distributed Component Object Model 22
T1021.001 Remote Desktop Protocol 28
T1021.002 SMB/Windows Admin Shares 20
T1021.004 SSH 21
T1021.005 VNC 25
T1021.006 Windows Remote Management 18