Remote Services `T1021`

Tactic: Lateral Movement

Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

Events covered

62 catalog events are tagged with this technique by at least one rule.

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Sysmon	Event ID 2	A process changed a file creation time
Sysmon	Event ID 3	Network connection
Sysmon	Event ID 7	Image loaded
Sysmon	Event ID 10	ProcessAccess
Sysmon	Event ID 11	FileCreate
Sysmon	Event ID 12	RegistryEvent (Object create and delete)
Sysmon	Event ID 13	RegistryEvent (Value Set)
Sysmon	Event ID 14	RegistryEvent (Key and Value Rename)
Sysmon	Event ID 17	PipeEvent (Pipe Created)
Sysmon	Event ID 18	PipeEvent (Pipe Connected)
Security-Auditing	Event ID 4624	An account was successfully logged on.
Security-Auditing	Event ID 4625	An account failed to log on.
Security-Auditing	Event ID 4656	A handle to an object was requested.
Security-Auditing	Event ID 4663	An attempt was made to access an object.
Security-Auditing	Event ID 4672	Special privileges assigned to new logon.
Security-Auditing	Event ID 4674	An operation was attempted on a privileged object.
Security-Auditing	Event ID 4688	A new process has been created.
Security-Auditing	Event ID 4697	A service was installed in the system.
Security-Auditing	Event ID 4698	A scheduled task was created.
Security-Auditing	Event ID 4768	A Kerberos authentication ticket (TGT) was requested.
Security-Auditing	Event ID 4769	A Kerberos service ticket was requested.
Security-Auditing	Event ID 4770	A Kerberos service ticket was renewed.
Security-Auditing	Event ID 4771	Kerberos pre-authentication failed.
Security-Auditing	Event ID 4776	The domain controller attempted to validate the credentials for an account.
Security-Auditing	Event ID 4778	A session was reconnected to a Window Station.
Security-Auditing	Event ID 4779	A session was disconnected from a Window Station.
Security-Auditing	Event ID 4825	A user was denied the access to Remote Desktop.
Security-Auditing	Event ID 4964	Special groups have been assigned to a new logon.
Security-Auditing	Event ID 5140	A network share object was accessed.
Security-Auditing	Event ID 5142	A network share object was added.
Security-Auditing	Event ID 5143	A network share object was modified.
Security-Auditing	Event ID 5145	A network share object was checked to see whether client can be granted desired access.
Security-Auditing	Event ID 5152	The Windows Filtering Platform blocked a packet.
Security-Auditing	Event ID 5154	The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-Auditing	Event ID 5155	The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-Auditing	Event ID 5156	The Windows Filtering Platform has permitted a connection.
Security-Auditing	Event ID 5157	The Windows Filtering Platform has blocked a connection.
Security-Auditing	Event ID 5158	The Windows Filtering Platform has permitted a bind to a local port.
Security-Auditing	Event ID 5159	The Windows Filtering Platform has blocked a bind to a local port.
Defender-DeviceEvents	any	Defender event (any)
Defender-DeviceFileEvents	FileCreated	File created
Defender-DeviceFileEvents	FileModified	File modified
Defender-DeviceFileEvents	FileRenamed	File renamed
Defender-DeviceImageLoadEvents	any	Image load (any)
Defender-DeviceImageLoadEvents	ImageLoaded	Image loaded
Defender-DeviceLogonEvents	LogonSuccess	Logon succeeded
Defender-DeviceNetworkEvents	any	Network activity (any)
Defender-DeviceNetworkEvents	ConnectionSuccess	Connection succeeded
Defender-DeviceNetworkEvents	InboundConnectionAccepted	Inbound connection accepted
Defender-DeviceProcessEvents	any	Process activity (any)
PowerShell	Event ID 4103	Payload Context: ContextInfo User Data: UserData.
PowerShell	Event ID 4104	Creating Scriptblock text (MessageNumber of MessageTotal).
SMBServer	Event ID 4000	The SMB client connection to the share was established.
TerminalServices-LocalSessionManager	Event ID 21	Remote Desktop Services: Session logon succeeded.
TerminalServices-LocalSessionManager	Event ID 24	Remote Desktop Services: Session has been disconnected.
TerminalServices-LocalSessionManager	Event ID 25	Remote Desktop Services: Session reconnection succeeded.
TerminalServices-RemoteConnectionManager	Event ID 1149	Remote Desktop Services: User authentication succeeded.
OpenSSH	Event ID 4	process: payload.
PowerShell	Event ID 400	Event ID 400
PowerShell	Event ID 800	Event ID 800
Service-Control-Manager	Event ID 7045	A service was installed in the system.

Authoring guide

Patterns shared across the 387 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (246 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`CommandLine`	86	`contains` 48, `match` 13, `regex_match` 13, `in` 8, `eq` 6, `wildcard` 5, `starts_with` 3, `ends_with` 2, `is_null` 1, `ne` 1	`use` , `net.use.(C\|ADMIN\|IPC)\$`, `cp` , `-r` , `\\\\`
`Image`	60	`ends_with` 46, `eq` 9, `starts_with` 6, `contains` 5, `wildcard` 2, `is_null` 1, `regex_match` 1	`\net.exe`, `\net1.exe`, `\cmd.exe`, `/dev/shm/`, `\mmc.exe`
`process_name`	58	`eq` 40, `in` 13, `wildcard` 3, `match` 2, `ends_with` 1, `is_not_null` 1, `ne` 1, `starts_with` 1	`cmd.exe`, `powershell.exe`, `pwsh.exe`, `mstsc.exe`, `svchost.exe`
`EventType`	56	`eq` 38, `in` 15, `starts_with` 4, `ne` 3	`exec`, `creation`, `ConnectionSuccess`, `ssh_login`, `ProcessRollup2`
`EventID`	55	`eq` 54, `in` 1	`1`, `4688`, `4104`, `5145`, `4624`
`event.type`	46	`eq` 40, `in` 8	`start`, `change`, `creation`, `process_started`, `connection`
`DestinationPort`	36	`eq` 22, `in` 6, `ge` 4, `gt` 2, `match` 2, `le` 1	`3389`, `445`, `5985`, `5986`, `135`
`parent_process_name`	33	`eq` 22, `contains` 3, `match` 3, `ne` 3, `in` 2, `ends_with` 1	`wsmprovhost.exe`, `microsoft.tri.sensor.exe`, `mmc.exe`, `services.exe`, `svchost.exe`
`OriginalFileName`	30	`eq` 29, `in` 1	`net.exe`, `net1.exe`, `powershell.exe`, `powershell_ise.exe`, `psexec.c`
`src_ip`	28	`ne` 16, `eq` 7, `cidr_match` 4, `is_not_null` 4, `in` 2, `contains` 1, `starts_with` 1	`127.0.0.1`, `::1`, `10.0.0.0/8`, `%vulnerability_scanners%`, `%admin_jump_hosts%`
`host.os.type`	22	`eq` 22
`event.category`	19	`eq` 15, `in` 4	`process`, `file`, `network`, `network_traffic`, `authentication`
`process.args`	19	`eq` 12, `starts_with` 5, `wildcard` 5, `contains` 1, `ends_with` 1, `in` 1	`\\`, `--nc`, `-Embedding`, `-L`, `-R`
`ShareName`	16	`eq` 6, `wildcard` 5, `in` 2, `contains` 1, `ends_with` 1, `match` 1	`\\\ADMIN$`, `\\\\\\\IPC$`, `C$`, `ADMIN$`, `Admin$`
`Initiated`	15	`eq` 15	`incoming`, `ingress`, `true`, `egress`

Top indicator values (2214 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`event.type`	`eq`	`start` elasticAt.exe Command Lateral Movement elasticConnection to External Network via Telnet elasticConnection to Internal Network via Telnet elasticExecution via TSClient Mountpoint elasticIncoming DCOM Lateral Movement via MSHTA elasticIncoming DCOM Lateral Movement with MMC elasticIncoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows elasticIncoming Execution via PowerShell Remoting elasticIncoming Execution via WinRM Remote Shell elasticKubelet API Connection Attempt to Internal IP elasticLinux SSH X11 Forwarding elasticMounting Hidden or WebDav Remote Shares elasticNetwork Connection Initiated by Suspicious SSHD Child Process elasticPotential Direct Kubelet Access via Process Arguments elasticPotential Direct Kubelet Access via Process Arguments Detected via Defend for Containers elasticPotential Execution via SSH Backdoor elasticPotential Lateral Tool Transfer via SMB Share elasticPotential Remote Desktop Shadowing Activity elasticPotential Remote Desktop Tunneling Detected elasticPotential SharpRDP Behavior elasticPotential THC Tool Downloaded elasticPsExec Network Connection elasticRemote Desktop Enabled in Windows Firewall by Netsh elasticRemote Execution via File Shares elasticRemote File Copy to a Hidden Share elasticRemotely Started Services via RPC elasticService Command Lateral Movement elasticSMB Connections via LOLBin or Untrusted Process elasticSuspicious Cmd Execution via WMI elasticSuspicious Execution from a WebDav Share elasticSuspicious Process Execution via Renamed PsExec Executable elasticUnusual SSHD Child Process elasticWMI Incoming Lateral Movement elasticWMIC Remote Command	34	606
`event.type`	`eq`	`change` elasticNullSessionPipe Registry Modification elasticPotential Remote Desktop Shadowing Activity elasticPotential SharpRDP Behavior elasticRDP Enabled via Registry elasticRemote Scheduled Task Creation elasticRenaming of OpenSSH Binaries	6	77
`src_ip`	`ne`	`127.0.0.1` elasticIncoming DCOM Lateral Movement via MSHTA elasticIncoming DCOM Lateral Movement with MMC elasticIncoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows elasticIncoming Execution via PowerShell Remoting elasticIncoming Execution via WinRM Remote Shell elasticPotential Lateral Tool Transfer via SMB Share elasticPotential Machine Account Relay Attack via SMB elasticPotential Network Share Discovery elasticPotential Ransomware Note File Dropped via SMB elasticPotential SharpRDP Behavior elasticRemote Scheduled Task Creation elasticRemote Windows Service Installed elasticRemotely Started Services via RPC elasticSuspicious File Renamed via SMB elasticWMI Incoming Lateral Movement	15	23
`src_ip`	`ne`	`::1` elasticIncoming DCOM Lateral Movement via MSHTA elasticIncoming DCOM Lateral Movement with MMC elasticIncoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows elasticIncoming Execution via PowerShell Remoting elasticIncoming Execution via WinRM Remote Shell elasticPotential Lateral Tool Transfer via SMB Share elasticPotential Machine Account Relay Attack via SMB elasticPotential Network Share Discovery elasticPotential Ransomware Note File Dropped via SMB elasticPotential SharpRDP Behavior elasticRemote Scheduled Task Creation elasticRemote Windows Service Installed elasticRemotely Started Services via RPC elasticSuspicious File Renamed via SMB elasticWMI Incoming Lateral Movement	15	21
`EventID`	`eq`	`1` splunkImpacket Lateral Movement Activity (Sysmon) splunkInvoke-DCOM.ps1 - PowerShell (Sysmon) splunkNet.exe Use with URL (Sysmon) splunkRDP Enabled (Sysmon) splunkRDP File Executed from Outlook Temp Directory (Sysmon) splunkRemote Admin Tools (Sysmon) splunkWindows Admin$ Share Access (Sysmon) splunkWindows C$ Share Access (Sysmon) splunkWindows IPC$ Share Access (Sysmon) splunkWinRM Tools (Sysmon) kustoDetecting Macro Invoking ShellBrowserWindow COM Objects kustoLateral Movement via DCOM	12	237
`EventID`	`eq`	`4688` splunkImpacket Lateral Movement Activity (Windows Event Log) splunkImpacket PSexec (Windows Event Log) splunkImpacket SMBexec (Windows Event Log) splunkInvoke-DCOM.ps1 - PowerShell (Windows Event Log) splunkMSTSC Execution (Windows Event Log) splunkNet.exe Use with URL (Windows Event Log) splunkRDP Enabled (Windows Event Log) splunkRDP File Executed from Outlook Temp Directory (Windows Event Log) splunkRemote Admin Tools (Windows Event Log) splunkWinRM Tools (Windows Event Log) kustoPowershell Empire Cmdlets Executed in Command Line	11	313
`EventID`	`eq`	`4104` splunkAllow Inbound Traffic In Firewall Rule splunkInteractive Session on Remote Endpoint with PowerShell splunkInvoke-DCOM.ps1 - PowerShell (PowerShell) splunkPowershell Remote Services Add TrustedHost splunkRemote Process Instantiation via DCOM and PowerShell Script Block splunkRemote Process Instantiation via WinRM and PowerShell Script Block splunkWindows Azure PowerShell Module Installation Via PowerShell Script splunkWinRM Tools (PowerShell)	8	268
`EventID`	`eq`	`5145` splunkExecutable File Written in Administrative SMB Share splunkImpacket PSexec (Windows Event Log) splunkSMB Write Access on Administrative Share (Windows Event Log) splunkWindows Admin$ Share Access (Windows Event Log) splunkWindows C$ Share Access (Windows Event Log) splunkWindows IPC$ Share Access (Windows Event Log) splunkWindows Share Multiple File Access (Windows Event Log)	7	18
`EventID`	`eq`	`4624` splunkPotential EternalBlue via Metasploit (Windows Event Log) splunkWindows RDP Login Session Was Established kustoMultiple RDP connections from Single System kustoRare RDP Connections kustoRDP Nesting	5	25
`DestinationPort`	`eq`	`3389` sigmaOutbound RDP Connections Over Non-Standard Tools sigmaRDP over Reverse SSH Tunnel WFP elasticPotential Outgoing RDP Connection by Unusual Process elasticPotential SharpRDP Behavior elasticRDP (Remote Desktop Protocol) from the Internet splunkRemote Desktop Network Traffic kustoDetect Suspicious ncrypt.dll usage on admin device with RDP connections to non TPM protected device kustoDetect Suspicious ncrypt.dll usage with RDP connections to unmanaged or non TPM protected device kustoHunt for devices doing first RDP session kustoHunt for RDP sessions to unmanaged and non TPM devices	10	11
`DestinationPort`	`eq`	`445` elasticPotential Lateral Tool Transfer via SMB Share elasticPotential Ransomware Note File Dropped via SMB elasticSMB Connections via LOLBin or Untrusted Process elasticSuspicious File Renamed via SMB splunkSMB Traffic Spike	5	8
`Initiated`	`eq`	`incoming` elasticIncoming DCOM Lateral Movement via MSHTA elasticIncoming DCOM Lateral Movement with MMC elasticIncoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows elasticIncoming Execution via PowerShell Remoting elasticIncoming Execution via WinRM Remote Shell elasticPotential Lateral Tool Transfer via SMB Share elasticPotential SharpRDP Behavior elasticRemote Scheduled Task Creation elasticRemotely Started Services via RPC elasticWMI Incoming Lateral Movement	10	10
`Initiated`	`eq`	`ingress` elasticIncoming DCOM Lateral Movement via MSHTA elasticIncoming DCOM Lateral Movement with MMC elasticIncoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows elasticIncoming Execution via PowerShell Remoting elasticIncoming Execution via WinRM Remote Shell elasticPotential Lateral Tool Transfer via SMB Share elasticPotential SharpRDP Behavior elasticRemote Scheduled Task Creation elasticRemotely Started Services via RPC elasticWMI Incoming Lateral Movement	10	12
`Protocol`	`eq`	`tcp` elasticIncoming DCOM Lateral Movement via MSHTA elasticIncoming DCOM Lateral Movement with MMC elasticIncoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows elasticPotential Lateral Tool Transfer via SMB Share elasticPotential SharpRDP Behavior elasticRDP (Remote Desktop Protocol) from the Internet elasticRemotely Started Services via RPC elasticRPC (Remote Procedure Call) to the Internet elasticVNC (Virtual Network Computing) to the Internet	9	18
`event.outcome`	`eq`	`success` elasticAWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization elasticAWS EC2 Instance Connect SSH Public Key Uploaded elasticAWS EC2 Instance Console Login via Assumed Role elasticAWS SSM Session Started to EC2 Instance elasticRemote Windows Service Installed elasticSuccessful SSH Authentication from Unusual IP Address elasticSuccessful SSH Authentication from Unusual SSH Public Key elasticSuccessful SSH Authentication from Unusual User	8	251
`process_id`	`eq`	`4` elasticIncoming Execution via WinRM Remote Shell elasticLateral Movement via Startup Folder elasticPotential Lateral Tool Transfer via SMB Share elasticPotential Ransomware Behavior - Note Files by System elasticPotential Ransomware Note File Dropped via SMB elasticRemote Execution via File Shares elasticSuspicious File Renamed via SMB elasticWindows Registry File Creation in SMB Share	8	11
`DeviceProduct`	`eq`	`X Series` kustoVectra Account's Behaviors kustoVectra AI Detect - Detections with High Severity kustoVectra AI Detect - New Campaign Detected kustoVectra AI Detect - Suspected Compromised Account kustoVectra AI Detect - Suspected Compromised Host kustoVectra AI Detect - Suspicious Behaviors by Category kustoVectra Host's Behaviors	7	7
`DeviceVendor`	`eq`	`Vectra Networks` kustoVectra Account's Behaviors kustoVectra AI Detect - Detections with High Severity kustoVectra AI Detect - New Campaign Detected kustoVectra AI Detect - Suspected Compromised Account kustoVectra AI Detect - Suspected Compromised Host kustoVectra AI Detect - Suspicious Behaviors by Category kustoVectra Host's Behaviors	7	7
`EventType`	`eq`	`exec` sigmamacOS File Transfer Tool Execution sigmamacOS Network Share Access sigmamacOS Remote Execution Tools sigmamacOS SSH Connection Detection elasticNetwork Connection Initiated by Suspicious SSHD Child Process elasticPotential Direct Kubelet Access via Process Arguments Detected via Defend for Containers elasticPotential Execution via SSH Backdoor	7	171
`EventType`	`eq`	`creation` elasticPotential Ransomware Behavior - Note Files by System elasticPotential Ransomware Note File Dropped via SMB elasticPotential Remote Credential Access via Registry elasticRemote File Creation in World Writeable Directory elasticUnusual Remote File Creation	5	25
`Image`	`ends_with`	`\net.exe` sigmaLateral movement by mounting a network share - net use (command) sigmaNet.EXE Execution sigmaNetwork share manipulation via commandline sigmaPassword Provided In Command Line Of Net.EXE sigmaWindows Admin Share Mount Via Net.EXE sigmaWindows Internet Hosted WebDav Share Mount Via Net.EXE sigmaWindows Share Mount Via Net.EXE	7	49
`Image`	`ends_with`	`\net1.exe` sigmaLateral movement by mounting a network share - net use (command) sigmaNet.EXE Execution sigmaNetwork share manipulation via commandline sigmaPassword Provided In Command Line Of Net.EXE sigmaWindows Admin Share Mount Via Net.EXE sigmaWindows Internet Hosted WebDav Share Mount Via Net.EXE sigmaWindows Share Mount Via Net.EXE	7	47
`EventType`	`in`	`exec` elasticConnection to External Network via Telnet elasticConnection to Internal Network via Telnet elasticLinux SSH X11 Forwarding elasticPotential Direct Kubelet Access via Process Arguments elasticPotential THC Tool Downloaded elasticUnusual SSHD Child Process	6	171
`OriginalFileName`	`eq`	`net.exe` sigmaNet.EXE Execution sigmaPassword Provided In Command Line Of Net.EXE sigmaWindows Admin Share Mount Via Net.EXE sigmaWindows Internet Hosted WebDav Share Mount Via Net.EXE sigmaWindows Share Mount Via Net.EXE elasticMounting Hidden or WebDav Remote Shares	6	28
`OriginalFileName`	`eq`	`net1.exe` sigmaNet.EXE Execution sigmaPassword Provided In Command Line Of Net.EXE sigmaWindows Admin Share Mount Via Net.EXE sigmaWindows Internet Hosted WebDav Share Mount Via Net.EXE sigmaWindows Share Mount Via Net.EXE elasticMounting Hidden or WebDav Remote Shares	6	44
`SubjectUserName`	`ends_with`	`$` sigmaAccess To ADMIN$ Network Share sigmaDCOM InternetExplorer.Application Iertutil DLL Hijack - Security sigmaNew network file share created sigmaSMB Create Remote File Admin Share sigmaT1047 Wmiprvse Wbemcomn DLL Hijack sigmaWinRM listening service reconnaissance (WS-Management)	6	3
`event.category`	`eq`	`process` elasticDeprecated - PowerShell Script with Remote Execution Capabilities via WinRM elasticOutbound Scheduled Task Activity via PowerShell elasticPotential PowerShell HackTool Script by Function Names elasticPotential Remote Desktop Shadowing Activity elasticSuspicious RDP ActiveX Client Loaded elasticUnusual SSHD Child Process	6	128
`process_name`	`eq`	`cmd.exe` elasticRemote File Copy to a Hidden Share elasticSuspicious Cmd Execution via WMI elasticSuspicious Execution from a WebDav Share splunkImpacket Lateral Movement Commandline Parameters splunkImpacket Lateral Movement smbexec CommandLine Parameters splunkPossible Lateral Movement PowerShell Spawn	6	77
`src_ip`	`eq`	`::1` sigmaPotential Remote PowerShell Session Initiated sigmaRDP discovery performed on multiple hosts sigmaRDP Login from Localhost sigmaRDP over Reverse SSH Tunnel WFP sigmaRDP reconnaissance with valid credentials performed on multiple hosts sigmaSMB Create Remote File Admin Share	6	6
`LogonType`	`eq`	`RemoteInteractive` sigmaRDP Login from Localhost splunkWindows RDP Login Session Was Established kustoMultiple RDP connections from Single System kustoRare RDP Connections kustoRDP Nesting	5	8

Exclusions (623 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`SubjectUserName`	`ends_with`	`$` sigmaAccess To ADMIN$ Network Share sigmaDCOM InternetExplorer.Application Iertutil DLL Hijack - Security sigmaNew network file share created sigmaSMB Create Remote File Admin Share sigmaT1047 Wmiprvse Wbemcomn DLL Hijack sigmaWinRM listening service reconnaissance (WS-Management)	6
`src_ip`	`eq`	`::1` sigmaPotential Remote PowerShell Session Initiated sigmaRDP discovery performed on multiple hosts sigmaRDP reconnaissance with valid credentials performed on multiple hosts sigmaSMB Create Remote File Admin Share chroniclePotential Remote PowerShell Session Initiated	5
`process_name`	`in`	`:\\program files $x86$\\adobe` splunkWindows PUA Named Pipe splunkWindows RMM Named Pipe splunkWindows Suspicious C2 Named Pipe splunkWindows Suspicious Named Pipe	4
`process_name`	`in`	`:\\program files $x86$\\google` splunkWindows PUA Named Pipe splunkWindows RMM Named Pipe splunkWindows Suspicious C2 Named Pipe splunkWindows Suspicious Named Pipe	4
`process_name`	`in`	`:\\program files $x86$\\microsoft` splunkWindows PUA Named Pipe splunkWindows RMM Named Pipe splunkWindows Suspicious C2 Named Pipe splunkWindows Suspicious Named Pipe	4
`process_name`	`in`	`:\\program files\\adobe` splunkWindows PUA Named Pipe splunkWindows RMM Named Pipe splunkWindows Suspicious C2 Named Pipe splunkWindows Suspicious Named Pipe	4
`process_name`	`in`	`:\\program files\\google` splunkWindows PUA Named Pipe splunkWindows RMM Named Pipe splunkWindows Suspicious C2 Named Pipe splunkWindows Suspicious Named Pipe	4
`process_name`	`in`	`:\\program files\\microsoft` splunkWindows PUA Named Pipe splunkWindows RMM Named Pipe splunkWindows Suspicious C2 Named Pipe splunkWindows Suspicious Named Pipe	4
`process_name`	`in`	`*:\\windows\\system32\\searchindexer.exe` splunkWindows PUA Named Pipe splunkWindows RMM Named Pipe splunkWindows Suspicious C2 Named Pipe splunkWindows Suspicious Named Pipe	4
`process_name`	`in`	`*:\\windows\\system32\\svchost.exe` splunkWindows PUA Named Pipe splunkWindows RMM Named Pipe splunkWindows Suspicious C2 Named Pipe splunkWindows Suspicious Named Pipe	4
`process_name`	`in`	`:\\windows\\systemapps\\microsoft` splunkWindows PUA Named Pipe splunkWindows RMM Named Pipe splunkWindows Suspicious C2 Named Pipe splunkWindows Suspicious Named Pipe	4
`process_name`	`in`	`\\amazon\\ssm\\instance` splunkWindows PUA Named Pipe splunkWindows RMM Named Pipe splunkWindows Suspicious C2 Named Pipe splunkWindows Suspicious Named Pipe	4
`process_name`	`in`	`\\appdata\\local\\google` splunkWindows PUA Named Pipe splunkWindows RMM Named Pipe splunkWindows Suspicious C2 Named Pipe splunkWindows Suspicious Named Pipe	4
`process_name`	`in`	`\\appdata\\local\\kingsoft\\` splunkWindows PUA Named Pipe splunkWindows RMM Named Pipe splunkWindows Suspicious C2 Named Pipe splunkWindows Suspicious Named Pipe	4
`process_name`	`in`	`\\appdata\\local\\microsoft` splunkWindows PUA Named Pipe splunkWindows RMM Named Pipe splunkWindows Suspicious C2 Named Pipe splunkWindows Suspicious Named Pipe	4

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Remote Services `T1021`

Events covered

Authoring guide

Fields filtered most (246 distinct)

Top indicator values (2214 distinct)

Exclusions (623 distinct)

Rules under this technique

Sigma 127 rules

Elastic 89 rules

Splunk 101 rules

Kusto 47 rules

YARA-L 7 rules

Panther 16 rules

Keyboard shortcuts

Search operators

Remote Services T1021

Events covered

Authoring guide

Fields filtered most (246 distinct)

Top indicator values (2214 distinct)

Exclusions (623 distinct)

Rules under this technique

Sigma 127 rules

Elastic 89 rules

Splunk 101 rules

Kusto 47 rules

YARA-L 7 rules

Panther 16 rules

Remote Services `T1021`