Last reviewed:
T1021 covers lateral movement over administrative protocols such as RDP, SSH, WinRM and VNC once an attacker holds valid credentials. In cloud estates the exposed management port is the precondition that matters most. DCV maps Azure's just-in-time network access control and the Defender recommendation that all network ports be restricted as the preventive surface, with AWS Inspector NETWORK_REACHABILITY findings flagging instances whose management ports face the internet. Closing those paths forces attackers onto noisier channels where audit-log detections catch them.
Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP). They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain, or management platforms for internal virtualization environments such as VMware vCenter.
Legitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer. Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.
Platforms: Linux, macOS, Windows, IaaS, ESXi.
DCV maps 7 detections across 3 cloud providers to T1021. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| Azure Policy | Azure | 2 | 0.90 |
| Microsoft Defender for Cloud | Azure | 2 | 0.85 |
| AWS Inspector | AWS | 1 | 0.80 |
| Azure Regulatory Compliance | Azure | 1 | 0.90 |
| GCP Chronicle | GCP | 1 | 0.90 |
CloudSigma has coverage metadata for 7 T1021 rules across 5 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1021, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1021 covers lateral movement over administrative protocols such as RDP, SSH, WinRM and VNC once an attacker holds valid credentials. In cloud estates the exposed management port is the precondition that matters most. DCV maps Azure's just-in-time network access control and the Defender recommendation that all network ports be restricted as the preventive surface, with AWS Inspector NETWORK_REACHABILITY findings flagging instances whose management ports face the internet. Closing those paths forces attackers onto noisier channels where audit-log detections catch them.
DCV maps 7 cloud-native detections to T1021 across 3 cloud providers, drawn from AWS Inspector, Azure Policy, Azure Regulatory Compliance, GCP Chronicle and Microsoft Defender for Cloud.
T1021 is part of MITRE ATT&CK TA0008 Lateral Movement: How adversaries move from one system to the next.
CloudSigma ships 5 validated Sigma rules for T1021 across AWS CloudTrail, Azure Activity, GCP Audit Logs, Linux auditd and Windows Sysmon. Each rule is validated against its source SIEM dialect before publication.