Applied Cybernetics Group
T1210 — Exploitation of Remote Services
- Technique
T1210- Tactics
- Lateral Movement
- MISP citations
- 0
- KEV CVEs mapped
- 4
- Community rules
- 15
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1210
MITRE description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources. There are several well-known vulnerabilities that exist in common services such as SMB(Citation: CIS Multiple SMB Vulnerabilities) and RDP(Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL(Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Additionally, there have been a number of vulnerabilities in VMware vCenter installations, which may enable threat actors to move laterally from the compromised vCenter server to virtual machines or even to ESXi hypervisors.(Citation: Broadcom VMSA-2024-0019) Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- WannaCry Ransomware Activity (emerging-threats)
- Scanner PoC for CVE-2019-0708 RDP RCE Vuln (emerging-threats)
- Potential RDP Exploit CVE-2019-0708 (emerging-threats)
- Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC (emerging-threats)
- OMIGOD HTTP No Authentication RCE - CVE-2021-38647 (emerging-threats)
- Possible Exploitation of Exchange RCE CVE-2021-42321 (emerging-threats)
- Exploitation Attempt Of CVE-2023-46214 Using Public POC Code (emerging-threats)
- Potential CVE-2023-46214 Exploitation Attempt (emerging-threats)
- Apache Threading Error (core)
- Audit CVE Event (core)
- Zerologon Exploitation Using Well-known Tools (core)
- DNS Query Request By QuickAssist.EXE (core)
- HackTool - SharpWSUS/WSUSpendu Execution (core)
- Suspicious SysAidServer Child (core)
- Terminal Service Process Spawn (core)