[T1021.001 ] Remote Services: Remote Desktop Protocol – Remote Desktop Protocol (RDP) is often abused by attackers to move laterally using stolen or valid credentials, enabling interactive access to target systems. Monitor unusual RDP logins, abnormal access patterns, and post-login activity to detect misuse. #RemoteDesktop #LateralMovement
Category: MITRE
[T1021 ] Remote Services – Adversaries use remote-access services like SSH, RDP, VNC, and management tools to move laterally by logging in with valid credentials and operating as legitimate users. Monitor remote logins, unusual access patterns, and management ports to detect misuse. #RemoteServices #LateralMovement
[T1020.001 ] Automated Exfiltration: Traffic Duplication – Adversaries can abuse native traffic mirroring and packet capture features in network and cloud platforms to duplicate and siphon sensitive data to attacker-controlled endpoints without direct file transfer. Monitor mirror configurations and anomalous mirrored flows to reduce risk. #TrafficDuplication #AutomatedExfiltration
[T1020 ] Automated Exfiltration – Automated exfiltration uses scripts or tools to collect and send data without manual steps, often combining file-system traversal and network transfer methods to quietly move sensitive files off a network. #AutomatedExfiltration #DataExfiltration
[T1018 ] Remote System Discovery – Adversaries enumerate other systems on a network by IP, hostname, ARP cache, hosts files, or network device commands to plan lateral movement and target infrastructure. Monitoring command execution, process activity, and network logs helps detect this behavior early. #RemoteSystemDiscovery #NetworkDiscovery
[T1016.002 ] System Network Configuration Discovery: Wi-Fi Discovery – Adversaries search compromised hosts for Wi‑Fi network names and stored credentials to expand access, move laterally, or harvest credentials for future campaigns. Detect by monitoring Wi‑Fi enumeration commands, API calls, and access to system Wi‑Fi configuration files. #WiFiDiscovery #T1016.002
[T1016.001 ] System Network Configuration Discovery: Internet Connection Discovery – Adversaries probe compromised systems to verify Internet connectivity and discover paths to external servers before attempting C2 or data exfiltration. These probes can include ping, traceroute, and simple HTTP GETs and may reveal proxies, redirectors, or routing that affect attacker access. #InternetConnectionDiscovery #NetworkDiscovery
[T1016 ] System Network Configuration Discovery – Adversaries gather network configuration details such as IP and MAC addresses, routes, and interface settings to map and understand a target environment for follow-on actions. Monitoring command usage, CLI sessions, and system tools can reveal these reconnaissance efforts. #SystemNetworkConfigurationDiscovery #NetworkRecon
[T1014 ] Rootkit – Rootkits are stealthy tools attackers use to hide malware and maintain covert access by modifying or hooking system components at user, kernel, boot, or firmware levels. Detection requires layered monitoring of files, drivers, firmware, boot records, and unusual API/OS behavior. #Rootkit #DefenseEvasion
[T1012 ] Query Registry – Adversaries query the Windows Registry to collect OS, configuration, and installed-software details to guide further actions and persistence. Monitoring registry access and related command activity helps detect early discovery attempts and shape defenses. #QueryRegistry #WindowsRegistry
[T1011.001 ] Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth – Adversaries may use Bluetooth to move stolen data off devices when traditional network channels are blocked or monitored. This technique leverages proximity and often weaker defenses on wireless interfaces to bypass enterprise controls. #Exfiltration #Bluetooth
[T1011 ] Exfiltration Over Other Network Medium – Adversaries may move stolen data across alternate network channels (Wi‑Fi, cellular, Bluetooth, modem, RF) separate from the primary command-and-control path to avoid enterprise defenses and monitoring. Detecting these paths requires broad visibility into endpoints, wireless interfaces, and unusual process-network activity. #Exfiltration #NetworkSecurity
[T1010 ] Application Window Discovery – Adversaries enumerate open application windows to learn what programs and documents are active on a system, which can reveal high-value data, user behavior, or security tools to target or evade. #ApplicationWindowDiscovery #Discovery
[T1008 ] Fallback Channels – Adversaries use fallback channels to preserve command and control when primary paths fail or are blocked, switching to alternate protocols, ports, or covert methods to maintain access and exfiltration. Detecting these shifts requires focused monitoring of unusual flows, protocol misuse, and novel process networking. #FallbackChannels #CommandAndControl
[T1007 ] System Service Discovery – Adversaries enumerate installed and running services to map system capabilities and identify high-value targets or persistence opportunities. Detecting these queries quickly helps defenders link reconnaissance to follow-on actions like lateral movement or privilege escalation. #SystemServiceDiscovery #T1007