EXPLORE

← Back to Explore

T1210

Exploitation of Remote Services

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. An adversary may need to determine ...

LinuxWindowsmacOSESXi

35

Detections

5

Sources

11

Threat Actors

BY SOURCE

19elastic7sigma6splunk_escu2crowdstrike_cql1kql

PROCEDURES (20)

Persist3 detections

Auto-extracted: 3 detections for persist

Dns2 detections

Auto-extracted: 2 detections for dns

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Dns2 detections

Auto-extracted: 2 detections for dns

Unusual2 detections

Auto-extracted: 2 detections for unusual

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Anomal2 detections

Auto-extracted: 2 detections for anomal

Privilege2 detections

Auto-extracted: 2 detections for privilege

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Anomal2 detections

Auto-extracted: 2 detections for anomal

Service2 detections

Auto-extracted: 2 detections for service

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Service1 detections

Auto-extracted: 1 detections for service

Dns1 detections

Auto-extracted: 1 detections for dns

Dns1 detections

Auto-extracted: 1 detections for dns

Http1 detections

Auto-extracted: 1 detections for http

THREAT ACTORS (11)

APT28 Dragonfly Earth Lusca Ember Bear FIN7 Fox Kitten menuPass MuddyWater Threat Group-3390 Tonto Team Wizard Spider

DETECTIONS (35)

Abnormally Large DNS Response

Active Directory Lateral Movement Identified

Apache Threading Error

Audit CVE Event

Cisco Secure Firewall - Lumma Stealer Activity

Cisco Secure Firewall - Static Tundra Smart Install Abuse

Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity

Detect Computer Changed with Anonymous Account

DNS Query Request By QuickAssist.EXE

HackTool - SharpWSUS/WSUSpendu Execution

High Mean of Process Arguments in an RDP Session

High Mean of RDP Session Duration

High Variance in RDP Session Duration

IOC search | PTC Windchill & FlexPLM vulnerability

crowdstrike_cql

IOC search | PTC Windchill & FlexPLM vulnerability

crowdstrike_cql

LDAPNightmare Exploitation Attempt

Microsoft Exchange Server UM Spawning Suspicious Processes

Microsoft Exchange Server UM Writing Suspicious Files

Potential Telnet Authentication Bypass (CVE-2026-24061)

elasticcritical

Potential WSUS Abuse for Lateral Movement

Spike in Number of Connections Made from a Source IP

Spike in Number of Connections Made to a Destination IP

Spike in Number of Processes in an RDP Session

Spike in Remote File Transfers

Suspicious SysAidServer Child

Telnet Authentication Bypass via User Environment Variable

elasticcritical

Terminal Service Process Spawn

Unusual Child Process of dns.exe

Unusual File Operation by dns.exe

Unusual Remote File Directory

Unusual Remote File Extension

Unusual Remote File Size

Unusual Time or Day for an RDP Session

VMWare Aria Operations Exploit Attempt

Zerologon Exploitation Using Well-known Tools