EXPLORE
Sign In
← Back to Explore
T1210

Exploitation of Remote Services

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. An adversary may need to determine ...

LinuxWindowsmacOSESXi
33
Detections
4
Sources
11
Threat Actors

BY SOURCE

19elastic7sigma6splunk_escu1crowdstrike_cql

PROCEDURES (20)

Event Log2 detections

Auto-extracted: 2 detections for event log

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Privilege2 detections

Auto-extracted: 2 detections for privilege

Anomal2 detections

Auto-extracted: 2 detections for anomal

Dns2 detections

Auto-extracted: 2 detections for dns

Service2 detections

Auto-extracted: 2 detections for service

Unusual2 detections

Auto-extracted: 2 detections for unusual

Persist2 detections

Auto-extracted: 2 detections for persist

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Bypass2 detections

Auto-extracted: 2 detections for bypass

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Event Log1 detections

Auto-extracted: 1 detections for event log

Http1 detections

Auto-extracted: 1 detections for http

Service1 detections

Auto-extracted: 1 detections for service

Dns1 detections

Auto-extracted: 1 detections for dns

Http1 detections

Auto-extracted: 1 detections for http

Dns1 detections

Auto-extracted: 1 detections for dns

THREAT ACTORS (11)

APT28DragonflyEarth LuscaEmber BearFIN7Fox KittenmenuPassMuddyWaterThreat Group-3390Tonto TeamWizard Spider

DETECTIONS (33)

Abnormally Large DNS Response
elasticmedium
Active Directory Lateral Movement Identified
splunk_escu
Apache Threading Error
sigmamedium
Audit CVE Event
sigmacritical
Cisco Secure Firewall - Lumma Stealer Activity
splunk_escu
Cisco Secure Firewall - Static Tundra Smart Install Abuse
splunk_escu
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
splunk_escu
Detect Computer Changed with Anonymous Account
splunk_escu
DNS Query Request By QuickAssist.EXE
sigmalow
HackTool - SharpWSUS/WSUSpendu Execution
sigmahigh
High Mean of Process Arguments in an RDP Session
elasticlow
High Mean of RDP Session Duration
elasticlow
High Variance in RDP Session Duration
elasticlow
IOC search | PTC Windchill & FlexPLM vulnerability
crowdstrike_cql
Microsoft Exchange Server UM Spawning Suspicious Processes
elasticmedium
Microsoft Exchange Server UM Writing Suspicious Files
elasticmedium
Potential Telnet Authentication Bypass (CVE-2026-24061)
elasticcritical
Potential WSUS Abuse for Lateral Movement
elasticmedium
Spike in Number of Connections Made from a Source IP
elasticlow
Spike in Number of Connections Made to a Destination IP
elasticlow
Spike in Number of Processes in an RDP Session
elasticlow
Spike in Remote File Transfers
elasticlow
Suspicious SysAidServer Child
sigmamedium
Telnet Authentication Bypass via User Environment Variable
elasticcritical
Terminal Service Process Spawn
sigmahigh
Unusual Child Process of dns.exe
elastichigh
Unusual File Operation by dns.exe
elasticmedium
Unusual Remote File Directory
elasticlow
Unusual Remote File Extension
elasticlow
Unusual Remote File Size
elasticlow
Unusual Time or Day for an RDP Session
elasticlow
VMWare Aria Operations Exploit Attempt
splunk_escu
Zerologon Exploitation Using Well-known Tools
sigmacritical