AN1936: Analytic 1936
Monitor network data for uncommon data flows (e.g., time of day, unusual source/destination address) that may be related to abuse of Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor DLL file events, specifically creation of these files as well as the loading of DLLs into processes specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For added context on adversary procedures and background see Remote Services and applicable sub-techniques. Monitor for newly executed processes related to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may use Valid Accounts to login and may perform follow-on actions that spawn additional processes as the user. Monitor executed commands and arguments to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may then perform these actions using Valid Accounts. Monitor for newly constructed network connections into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp:3389 and tcp:22 for remote logins. The adversary may use Valid Accounts to enable remote logins. Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). For added context on adversary procedures and background see Remote Services and applicable sub-techniques.
Analyst context for executives and security teams
AN1936 is a detection analytic for spotting suspicious use of remote services such as RDP, Telnet, SSH, VNC, SMB, and related remote-management connections. Its business value is in validating whether the organization can distinguish normal remote administration from account misuse and lateral movement activity, especially in ICS environments where remote access can affect operational resilience.
Executive priority
Treat this as a control-validation and evidence question: can security teams prove who remotely accessed which systems, when, from where, and what happened next? Priority should go to environments where remote access reaches sensitive operational systems, where shared or valid accounts are used, or where audit and incident response require reliable reconstruction of remote logins, network flows, process activity, DLL events, command execution, and file-share access.
Technical view
SOC and IR teams should validate telemetry across remote-service activity: uncommon network flows by time, source, or destination; logins to systems a user does not normally access; rapid access to multiple systems; newly executed processes tied to remote services; commands and arguments executed through remote sessions; DLL creation and DLL loading into remote-service processes; newly constructed connections to remote protocols; and SMB or network-share reads and transfers. Detection should correlate remote login activity with abnormal behavior and possible discovery or follow-on actions rather than alerting only on the existence of remote access.
Likely telemetry
- Network flow records showing source, destination, time, protocol, and port
- Remote login and authentication logs for services such as RDP, Telnet, SSH, and VNC
- User-to-system access history for baselining abnormal destinations or access patterns
- Process creation events following remote logins
- Command-line and argument telemetry for actions executed through remote services
Detection direction
- Baseline normal remote administration by user, system, time of day, source address, destination address, and protocol.
- Correlate valid-account remote logins with follow-on process execution, command execution, DLL activity, network-share access, and access to multiple systems in a short period.
- Tune for administrative false positives, especially scheduled maintenance, jump-host activity, and authorized remote support workflows.
- Validate coverage for both authentication events and post-login activity; login-only monitoring may miss the behavior that makes the session suspicious.
- Review whether remote service activity can be tied back to a specific account and endpoint, since weak identity-to-host correlation reduces incident usefulness.
Mitigation priorities
- Inventory remote services and remote-management paths that are permitted to reach sensitive systems.
- Restrict and govern valid-account remote access according to operational need, especially for systems that users would not normally access.
- Ensure logging is enabled for remote logins, network connections, process creation, command execution, DLL activity, and SMB or network-share interactions where feasible.
- Use baselines and allowlists for known administrative workflows, then investigate deviations rather than treating all remote access as equally suspicious.
- Prepare incident response playbooks that connect remote-login evidence with discovery, lateral movement, and follow-on host activity.
Analyst notes and limits
The supplied object is an ICS ATT&CK detection analytic with no platforms, tactics, relationships, aliases, or separate official detection field provided. The description itself supplies the detection content and references Valid Accounts, Remote Services, and remote-service protocols. This take focuses on defensive validation and evidence readiness rather than asserting any specific adversary campaign or platform exposure.
No relationship context, platforms, tactics, or official detection section were supplied. Local network architecture, remote-access design, identity model, and available logs are required to determine actual coverage, priority, and tuning requirements.
Analytic 1936
Monitor network data for uncommon data flows (e.g., time of day, unusual source/destination address) that may be related to abuse of Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor DLL file events, specifically creation of these files as well as the loading of DLLs into processes specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For added context on adversary procedures and background see Remote Services and applicable sub-techniques. Monitor for newly executed processes related to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may use Valid Accounts to login and may perform follow-on actions that spawn additional processes as the user. Monitor executed commands and arguments to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may then perform these actions using Valid Accounts. Monitor for newly constructed network connections into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp:3389 and tcp:22 for remote logins. The adversary may use Valid Accounts to enable remote logins. Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). For added context on adversary procedures and background see Remote Services and applicable sub-techniques.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 078678a47c70… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1936Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.