Remote services are the backbone of enterprise IT administration. System administrators use Remote Desktop Protocol to troubleshoot workstations, SSH to manage Linux servers, SMB shares to distribute software, and WinRM to run PowerShell commands across fleets of machines. These are necessary, sanctioned, and deeply embedded in how organizations operate. That same ubiquity is what makes T1021 so dangerous: the attacker's lateral movement looks identical to a systems administrator doing their job.
The technique is straightforward in concept. After gaining initial access to a network — through phishing, exploiting a public-facing application, or purchasing credentials from an access broker — the attacker harvests additional credentials from the compromised system. Armed with valid usernames and passwords (or hashes, or tokens), they authenticate into other systems using the same remote services the IT team uses every day. Each successful authentication extends their reach, and each new system provides additional credentials and intelligence that fuel further movement.
T1021 is classified under the Lateral Movement tactic because it describes how adversaries spread through a network after the initial foothold. It is the primary mechanism by which a single compromised endpoint becomes a full domain compromise, and it is the technique that transforms a containable incident into an organization-wide crisis. According to CrowdStrike's 2025 threat report, access broker advertisements for credentials enabling remote service access surged 50% year-over-year, confirming that the criminal ecosystem has structured itself around supplying the inputs that T1021 requires.
How Lateral Movement via Remote Services Works
The lateral movement chain begins with credential acquisition. On the initially compromised system, the attacker extracts credentials from memory (using tools like Mimikatz to dump LSASS), from disk (SAM database, cached domain credentials, configuration files containing passwords), or from the user's session (browser-stored passwords, SSH keys, RDP connection manager files). In hybrid environments, they may also steal tokens, cookies, or OAuth grants that provide access to cloud services.
With credentials in hand, the attacker surveys the network. Discovery tools — often native Windows utilities like net view, nltest, and ping — identify which systems are reachable and which services are listening. The attacker maps the domain structure, identifies high-value targets (domain controllers, file servers, database servers, backup infrastructure), and plans their movement path.
The movement itself is unremarkable by design. The attacker opens an RDP session to a server using a domain administrator's credentials. They connect to a file share over SMB and browse for sensitive data. They SSH into a Linux server and enumerate further. They run a PowerShell command on a remote system via WinRM. Each of these actions generates the same log entries as legitimate administration — a successful authentication, a new session, a process execution. Without behavioral context that distinguishes "the real administrator" from "the attacker using the administrator's credentials," these events are invisible in the noise of normal operations.
Ransomware lateral movement has become faster, more identity-led, and increasingly executed through legitimate administrative channels rather than bespoke malware. As of 2026, the detection-to-containment window for T1021-based lateral movement is measured in hours, not days. If east-west telemetry is weak, a single compromised endpoint becomes a domain compromise before anyone notices.
Sub-Techniques
T1021 has eight sub-techniques, each corresponding to a specific remote service protocol. Understanding the distinctions matters because detection strategies, log sources, and defensive controls differ for each one.
T1021.001 — Remote Desktop Protocol (RDP)
RDP is the single most abused remote service in ransomware operations. It provides full graphical desktop access to the target system, allowing the attacker to interact with applications, browse the filesystem, and launch tools as if they were sitting at the keyboard. RDP runs on TCP port 3389 by default and is frequently exposed to the internet on systems where it should not be. Even when restricted to internal networks, attackers who have compromised a single endpoint can RDP to other internal systems using harvested credentials. Akira ransomware operators have been documented scanning internal IP ranges and logging into servers with stolen credentials via RDP, often deploying destructive payloads within hours of initial access.
T1021.002 — SMB/Windows Admin Shares
Server Message Block (SMB) provides access to Windows administrative shares (C$, ADMIN$, IPC$) that exist on every Windows system by default. Attackers use SMB with valid credentials to copy files to remote systems, execute commands through service creation, and access data on shared drives. Tools like PsExec, Impacket's smbexec, and CrackMapExec automate mass lateral movement over SMB. This sub-technique is the second most common remote service used in ransomware fan-out operations, often paired with T1021.001 to achieve rapid deployment across an entire domain.
T1021.003 — Distributed Component Object Model (DCOM)
DCOM allows remote activation and execution of COM objects on target systems. With administrator-level credentials, attackers can abuse DCOM interfaces to remotely launch applications, execute commands, and move laterally without deploying additional tools. The technique is less common than RDP or SMB but provides an alternative when those protocols are monitored or restricted.
T1021.004 — SSH
SSH is the primary remote access protocol for Linux, macOS, and ESXi environments. Attackers who obtain SSH credentials or private keys can authenticate into remote systems and execute commands with the privileges of the compromised account. In VMware environments, enabling SSH on ESXi hosts gives attackers direct access to the hypervisor layer, from which they can manipulate virtual machines, exfiltrate data, and deploy ransomware to VM datastores. Ransomware families including LockBit, Abyss Locker, and BlackCat have all targeted ESXi hosts via SSH as part of their lateral movement chain.
Related: SSH Tunneling for Lateral Movement — What Security Professionals Need to Know
T1021.005 — VNC
Virtual Network Computing (VNC) provides remote graphical access similar to RDP but is platform-independent. Attackers use VNC to control systems where RDP is not available — particularly Linux workstations and macOS machines. VNC traffic is often unencrypted by default, and many VNC implementations use weak or default passwords, making them attractive targets.
T1021.006 — Windows Remote Management (WinRM)
WinRM is the Windows implementation of the WS-Management protocol, enabling remote PowerShell execution and system management. Attackers with valid credentials can use WinRM to run commands on remote systems without opening a graphical session, making it harder to detect than RDP. WinRM operates over HTTP (port 5985) or HTTPS (port 5986) and is increasingly used in fileless attack chains where the entire operation is conducted through PowerShell commands and scripts that never touch disk.
T1021.007 — Cloud Services
In hybrid environments where on-premises identities are synchronized or federated to cloud platforms, attackers who compromise domain credentials can pivot from on-premises systems to cloud services — Azure, AWS, Microsoft 365, and SaaS applications. This sub-technique is particularly dangerous because it expands the blast radius beyond the physical network. An attacker who compromises an on-premises account that syncs to Entra ID (formerly Azure AD) can access email, cloud storage, CI/CD pipelines, and administrative consoles without ever touching the corporate VPN.
T1021.008 — Direct Cloud VM Connections
Cloud providers offer native console access to virtual machines — Azure Serial Console, AWS EC2 Instance Connect, and AWS Systems Manager. Attackers with compromised cloud credentials can use these services to directly access VMs without going through traditional SSH or RDP channels, bypassing network-level monitoring that only inspects conventional remote access protocols.
In hybrid identity estates (on-premises AD + Entra ID + SaaS), lateral movement is no longer limited to the network layer. Attackers can pivot across planes: endpoint to cloud via stolen tokens, cloud to SaaS via OAuth grants, and SaaS back to endpoints via MDM or remote support tools. Detection must cover all planes, not just east-west network traffic.
Real-World Case Studies
Volt Typhoon — Remote Services for Critical Infrastructure Pre-Positioning
Volt Typhoon, a Chinese state-sponsored threat group that CISA, NSA, and FBI assess is pre-positioning for potential disruption of U.S. critical infrastructure, has made T1021 a central element of its operations. In a confirmed compromise of a Water and Wastewater Systems Sector entity, Volt Typhoon connected to the network via VPN with administrator credentials, then opened RDP sessions to move laterally across the environment. Over a nine-month period, the group moved from the initial foothold to a file server, domain controller, Oracle Management Server, and VMware vCenter server. The actors extracted the Active Directory database (NTDS.dit) from the domain controller, giving them every credential in the domain.
Dragos reported that throughout 2025, Volt Typhoon's operations shifted toward not only collecting data from IT networks but directly interacting with operational technology (OT) network-connected devices and stealing sensor and operational data. In one confirmed case, the group moved laterally to a control system and was positioned to access a second. Rob Lee, Dragos CEO, told reporters that there are sites compromised by the group in the U.S. and NATO countries that "we will never find."
What makes Volt Typhoon's use of T1021 particularly dangerous is their strict adherence to living-off-the-land principles. They use native Windows tools — RDP, PowerShell, cmd.exe, netsh — and avoid deploying custom malware. Their lateral movement generates the same log entries as a legitimate administrator, and they have been observed abstaining from using compromised credentials outside of normal business hours to avoid triggering anomaly alerts.
BlackCat/ALPHV — Change Healthcare Lateral Movement
The February 2024 ransomware attack on Change Healthcare — the largest healthcare data breach in U.S. history, affecting over 100 million individuals — began when BlackCat operators gained initial access through a Citrix remote access portal that lacked multi-factor authentication. The attackers authenticated with compromised credentials on February 12, then spent nine days moving laterally through the network before deploying ransomware on February 21.
During those nine days, the attackers used stolen credentials to access system after system through remote services, exfiltrating data along the way. The lateral movement was extensive enough that UnitedHealth Group could not identify the full scope of the compromise even months after the attack. A $22 million ransom was paid, but the data was not returned. A second ransomware group, RansomHub, later claimed to have obtained the stolen data and attempted additional extortion.
The Change Healthcare attack demonstrates the cascading impact of T1021-based lateral movement: a single application without MFA gave attackers initial access, and unrestricted remote service connectivity within the network allowed them to reach every critical system before anyone detected the intrusion.
The nine-day dwell time between initial access and ransomware deployment at Change Healthcare is typical, not exceptional. Attackers use this window to move laterally, escalate privileges, identify and destroy backups, and stage data for exfiltration — all through remote services that generate routine-looking authentication events.
Akira Ransomware — RDP and WMI Fan-Out
Akira experienced a 60% activity increase in January 2025 and became one of the most prolific ransomware operations targeting healthcare and manufacturing. Their modus operandi centers on T1021.001 (RDP) and WMI for lateral movement. After compromising a single system — typically through a VPN vulnerability or stolen credentials — Akira operators scan internal IP ranges and log into servers using harvested credentials via RDP. The group deploys destructive payloads within hours, compressing the detection window to a point where many organizations cannot respond in time.
Akira also demonstrates the credential escalation pattern common to T1021 operations: initial credentials get the attackers onto one system, where they dump LSASS to harvest domain credentials, use Kerberoasting to obtain service account hashes, and then use those elevated credentials to RDP into increasingly critical systems — domain controllers, backup servers, and VMware infrastructure.
Scattered Spider — Social Engineering to Remote Service Abuse
Scattered Spider (UNC3944) has perfected a model that begins with social engineering and ends with T1021-based lateral movement at enterprise scale. The group uses help desk vishing — calling IT support desks while impersonating employees — to obtain password resets and MFA enrollments. With valid credentials in hand, they access corporate VPNs and remote access platforms, then move laterally through the internal network using RDP and SSH. In cloud-heavy environments, they pivot from endpoints to Entra ID, consenting to OAuth applications and accessing SaaS platforms to expand their reach beyond the traditional network perimeter.
SmarterTools Breach — Remote Services After Initial Exploitation
In January 2026, the Warlock ransomware group (Storm-2603) breached SmarterTools by exploiting an unpatched internet-facing mail server. Once inside, the attackers leveraged the mail server's broad network connectivity — connections to Active Directory, file shares, and management infrastructure — to move laterally across approximately 30 servers and virtual machines. The case illustrates how public-facing systems that have overly permissive internal network access become launch pads for T1021 operations: the initial exploit gave the attackers a foothold, but it was unrestricted remote service reachability that turned one compromised server into 30.
Detection Strategies
Detecting T1021 abuse is fundamentally a behavioral problem. The protocols are legitimate, the credentials are valid, and the traffic is indistinguishable from normal administration at the packet level. Detection must therefore focus on context: who is authenticating, from where, at what time, and does this pattern match the account's established baseline?
Key Event IDs for Windows Environments
| Event ID | Source | What It Captures | Detection Value |
|---|---|---|---|
4624 |
Security | Successful logon (Type 3 = network, Type 10 = RDP) | Baseline normal logon patterns per account; alert on anomalous source IPs, unusual logon types, or first-time account-to-host pairs |
4625 |
Security | Failed logon attempt | Credential spraying or brute-force preceding successful lateral movement; watch for distributed failures across many hosts |
4648 |
Security | Explicit credential logon (runas or alternate creds) | High-fidelity indicator when an account uses credentials belonging to a different user, common during pass-the-hash |
4688 |
Security | Process creation (with command line logging enabled) | Detect PsExec service installations, WMI process creation, and PowerShell remoting session establishment |
1149 |
TerminalServices-RemoteConnectionManager | RDP authentication succeeded | Captures the source IP and username for every successful RDP connection; essential for RDP lateral movement tracking |
4 |
Sysmon | Sysmon service state changed | Attackers may attempt to stop Sysmon before lateral movement activities; service stoppage is a high-priority alert |
91 |
Microsoft-Windows-WinRM/Operational | WinRM session created | Tracks WinRM/PowerShell remoting sessions; alert on sessions from unexpected source hosts or accounts |
Splunk Detection Queries
# Detect first-time RDP connections from new source hosts
# Lateral movement via RDP often comes from workstations
# that have never previously connected to the target server
index=wineventlog sourcetype="WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" EventCode=1149
| stats earliest(_time) as first_seen, count by User, Source_Network_Address, Computer
| where count=1 AND first_seen > relative_time(now(), "-24h")
| table first_seen, User, Source_Network_Address, Computer
| sort first_seen# Detect lateral movement via SMB admin share access
# Flags remote service installations typical of PsExec
# and Impacket-based lateral movement tools
index=wineventlog sourcetype="WinEventLog:System" EventCode=7045
| where match(Service_Name, "(?i)(PSEXESVC|BTOBTO|[a-zA-Z]{8})")
| where Service_Type="user mode service" OR Service_Type="own process"
| table _time, Computer, Service_Name, Service_File_Name, Account_Name
| sort -_time# Detect anomalous WinRM/PowerShell remoting sessions
# Alert when WinRM sessions originate from workstations
# rather than jump servers or admin hosts
index=wineventlog sourcetype="WinEventLog:Microsoft-Windows-WinRM/Operational" EventCode=91
| lookup admin_jump_servers.csv src_host as Computer OUTPUT is_jump_server
| where is_jump_server!="true"
| stats count by Computer, User, dest_host
| where count > 0
| table Computer, User, dest_host, countSSH and Linux Detection
# Monitor SSH authentications on Linux systems
# Alert on successful SSH from unexpected source IPs
# and track key-based vs password-based authentication
index=linux sourcetype="linux:auth" "Accepted"
| rex "Accepted (?<auth_method>\S+) for (?<user>\S+) from (?<src_ip>\S+)"
| lookup known_admin_sources.csv src_ip OUTPUT is_expected
| where is_expected!="true"
| table _time, host, user, src_ip, auth_method
| sort -_timeThe highest-fidelity detection for T1021 is not "someone used RDP" — it is "an account that has never administered this system before is now authenticating to it." Build baselines of normal account-to-host relationships and alert on novel pairs. First-time administrative connections from accounts that historically have not managed a system are the strongest signal available.
Known Threat Actors
MITRE documents over 80 threat groups and malware families that use T1021 or its sub-techniques. The following are notable examples that demonstrate the technique's use across different threat actor motivations:
- Volt Typhoon (China) — RDP lateral movement across U.S. critical infrastructure including water, energy, and communications sectors; living-off-the-land approach that avoids custom malware; confirmed OT access via lateral movement from IT networks
- APT29 / Cozy Bear (Russia) — Weaponized nearby Wi-Fi networks for covert RDP access in the "Nearest Neighbor Attack"; leverages RDP and SSH across long-duration espionage campaigns
- Scattered Spider / UNC3944 — Social engineering to obtain credentials, followed by VPN access and RDP/SSH lateral movement; pivots from endpoints to cloud via Entra ID; targets hospitality, telecom, and financial sectors
- BlackCat / ALPHV — RDP and remote access lateral movement in the Change Healthcare breach; used stolen credentials with no MFA to access Citrix portal, then moved laterally for nine days before ransomware deployment
- Akira — RDP and WMI-based lateral movement against healthcare and manufacturing; 60% activity surge in early 2025; rapid credential harvesting to domain compromise pipeline
- LockBit — PsExec and SMB share-based lateral movement; SSH to ESXi hosts for VM encryption; responsible for approximately 1,700 attacks in the U.S. between 2020 and 2023
- RansomHub — Python-based backdoor with SOCKS5 tunneling for masked lateral movement; recruited former BlackCat affiliates; 239 claimed victims in Q4 2024 alone before operations halted in April 2025
- APT40 (China) — SSH and RDP lateral movement following exploitation of edge devices; persistent access to government and critical infrastructure networks across the Indo-Pacific region
- APT41 (China) — RDP lateral movement in dual espionage and financially motivated operations; targets telecommunications, healthcare, and technology sectors globally
- Warlock / Storm-2603 — Exploited public-facing mail server then used remote services to move laterally across 30 systems in the SmarterTools breach (January 2026)
Defensive Recommendations
- Enforce network segmentation and east-west traffic controls: Workstations should not be able to initiate RDP or SMB connections to other workstations. Restrict remote service protocols to defined admin jump servers and management networks. Use host-based firewall rules or microsegmentation policies to enforce allowed communication paths. This single control directly interrupts the T1021.001 and T1021.002 fan-out that ransomware operations depend on.
- Implement privileged access workstations (PAWs) for administration: Dedicate hardened workstations exclusively for administrative tasks. All remote service connections to servers and infrastructure should originate only from PAWs. Any remote service authentication from a non-PAW device to a server is a high-fidelity detection opportunity.
- Deploy multi-factor authentication on all remote access entry points: MFA on VPN, Citrix, RDP gateways, and cloud portals prevents stolen credentials alone from granting access. The Change Healthcare breach began because a Citrix portal lacked MFA. This is the single highest-impact control for preventing the initial access that precedes T1021 lateral movement.
- Implement tiered credential architecture: Use separate administrative accounts for different tiers — Tier 0 for domain controllers and identity infrastructure, Tier 1 for servers, Tier 2 for workstations. Never allow Tier 0 credentials to authenticate on Tier 1 or Tier 2 systems. This limits the blast radius of any single credential compromise.
- Enable and centralize authentication logging: Ensure Windows Security event logs (4624, 4625, 4648), RDP connection logs (1149), WinRM operational logs, and SSH authentication logs are forwarded to the SIEM. These are the raw data sources that make T1021 detection possible. Without them, lateral movement is invisible.
- Build and maintain account-to-host baselines: Use SIEM analytics to build a baseline of which accounts normally authenticate to which hosts. Alert on novel account-host pairs — especially first-time administrative connections to critical systems like domain controllers, backup servers, and hypervisors.
- Disable unnecessary remote services: If RDP is not required on a system, disable it. If SSH is not needed on an ESXi host, keep it disabled. If WinRM is not used for management, remove it from the listening state. Every enabled remote service is an available lateral movement path. Reduce the attack surface by disabling what is not needed.
- Monitor and restrict cloud identity pivots: In hybrid environments, monitor for on-premises account compromises that pivot to cloud services. Track OAuth consent grants, new MFA method registrations, and token usage patterns. Implement conditional access policies that limit cloud service access to managed devices and known network locations.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1021 |
| Technique Name | Remote Services |
| Tactic | Lateral Movement |
| Platforms | Windows, Linux, macOS, IaaS, ESXi |
| Sub-Techniques | T1021.001 (RDP), T1021.002 (SMB/Admin Shares), T1021.003 (DCOM), T1021.004 (SSH), T1021.005 (VNC), T1021.006 (WinRM), T1021.007 (Cloud Services), T1021.008 (Direct Cloud VM) |
| Data Sources | Logon Session (Creation), Network Traffic (Content, Flow), Process (Creation), Command (Execution), Module (Load) |
| Requires | Valid Accounts (T1078) or credential replay (T1550) |
| Mitigations | Multi-Factor Authentication, Network Segmentation, Privileged Account Management, User Account Management, Disable or Remove Feature |
| MITRE Reference | attack.mitre.org/techniques/T1021 |
Sources and References
- MITRE ATT&CK — T1021 Remote Services: attack.mitre.org
- CISA, NSA, FBI — PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (AA24-038A): cisa.gov
- Dragos — 2025 OT/ICS Cybersecurity Year in Review (Volt Typhoon activity through 2025): dragos.com
- Recorded Future News — Volt Typhoon Still Embedded in U.S. Utilities (2025): therecord.media
- CrowdStrike — 2025 Global Threat Report (access broker surge, ransomware lateral movement trends): crowdstrike.com
- Threat Intelligence Report — Ransomware Lateral Movement in 2026: Detection Opportunities: threatintelreport.com
- AHA — Change Healthcare Cyberattack Impact Assessment: aha.org
- CISA — #StopRansomware: Akira Ransomware (AA24-109A): cisa.gov