Last updated: April 29, 2026
SSH, SMB, RDP, WinRM, WMI, and iLO/iDRAC are management protocols — designed for administrators to do their jobs. Attackers love them because they’re everywhere, always allowed between admin endpoints and targets, and every organization has weak or reused credentials that reach through them. This module is about why management protocols are the main rails of lateral movement in 2026.
Why this happens
Management protocols are the backbone of IT operations. Admin needs to log into 500 servers. SSH to 500 Linux boxes. RDP to 200 Windows. PowerShell Remoting (WinRM) to automate. WMI for inventory. SCCM agents call home. iLO/iDRAC for out-of-band. Every one of these is an authenticated channel that, once the attacker has the right credentials, gives full control of the target.
Three things make these high-value:
- Credentials reuse. The same admin credentials work on many targets. Attacker who compromises one admin account = many targets.
- Credentials cached in memory. When admin RDPs to a server, credentials are cached on that server. Compromise of the server = extraction of admin’s credentials.
- Legitimate traffic is indistinguishable from attacks. RDP from admin endpoint to server is normal. RDP from attacker’s foothold to server using stolen creds is also normal. Detection requires context.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.