Which SIEM platforms have a T1210 detection rule?

df00tech provides T1210 (Exploitation of Remote Services) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1210 detection?

The T1210 detection is rated critical severity with medium confidence.

What are common false positives for T1210?

Common false positives for T1210 include: Legitimate print spooler activity during driver installation may spawn msiexec.exe or rundll32.exe (spoolsv.exe -> msiexec.exe with a known printer vendor path); SQL Server maintenance stored procedures or external scripts that invoke cmd.exe for backup/restore operations (sqlservr.exe -> cmd.exe with well-known backup tool paths); IIS application pools running ASP.NET applications that legitimately shell out to cmd.exe for document conversion, PDF generation, or file operations (w3wp.exe -> cmd.exe in specific application pools).

T1210

Exploitation of Remote Services

Q: What data sources are required to detect Exploitation of Remote Services (T1210)?

Detecting Exploitation of Remote Services requires the following data sources: Process: Process Creation, Process: OS API Execution, Microsoft Defender for Endpoint DeviceProcessEvents, Microsoft Defender for Endpoint DeviceEvents.

Lateral Movement Last updated: April 19, 2026

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation occurs when an adversary takes advantage of a programming error in a program, service, or OS kernel to execute adversary-controlled code. Common targets include SMB (EternalBlue/MS17-010 — used by WannaCry, NotPetya, Emotet, QakBot, Bad Rabbit, APT28, Ember Bear), RDP (BlueKeep CVE-2019-0708 — used by InvisiMole, Fox Kitten), Active Directory Netlogon (ZeroLogon CVE-2020-1472 — used by Wizard Spider, Earth Lusca), Windows Print Spooler (PrintNightmare CVE-2021-1675/CVE-2021-34527 — used in ransomware operations), and VMware vCenter (VMSA-2024-0019 — ESXi hypervisor takeover). Post-exploitation typically manifests as unexpected child processes spawned from the exploited service (e.g., spoolsv.exe spawning cmd.exe), remote thread injection into privileged processes, or new services installed via SMB pipes. Successful exploitation may yield SYSTEM-level access, enabling further lateral movement, credential theft, or ransomware deployment.

What is T1210 Exploitation of Remote Services?

Exploitation of Remote Services (T1210) maps to the Lateral Movement tactic — the adversary is trying to move through your environment in MITRE ATT&CK.

This page provides production-ready detection logic for Exploitation of Remote Services, covering the data sources and telemetry it touches: Process: Process Creation, Process: OS API Execution, Microsoft Defender for Endpoint DeviceProcessEvents, Microsoft Defender for Endpoint DeviceEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Lateral Movement
Technique: T1210 Exploitation of Remote Services
Canonical reference: https://attack.mitre.org/techniques/T1210/

Microsoft Sentinel / Defender

kusto

let ExploitableServiceParents = dynamic([
    "spoolsv.exe",
    "lsass.exe",
    "services.exe",
    "winlogon.exe",
    "w3wp.exe",
    "sqlservr.exe",
    "vmtoolsd.exe"
]);
let SuspiciousChildProcesses = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe",
    "net.exe", "net1.exe", "whoami.exe",
    "certutil.exe", "mshta.exe", "wscript.exe", "cscript.exe",
    "regsvr32.exe", "rundll32.exe", "msiexec.exe", "curl.exe", "wget.exe"
]);
// Branch 1: Unexpected shell or tool spawned directly from a network-facing or privileged service process
// This is the most reliable indicator of successful remote exploitation (PrintNightmare, ZeroLogon, SQL CVEs, VMware CVEs)
let ServiceChildExploit = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (ExploitableServiceParents)
| where FileName has_any (SuspiciousChildProcesses)
| extend ExploitType = case(
    InitiatingProcessFileName =~ "spoolsv.exe",   "PrintSpooler-PrintNightmare-CVE-2021-1675",
    InitiatingProcessFileName =~ "lsass.exe",     "LSASS-ZeroLogon-CVE-2020-1472",
    InitiatingProcessFileName =~ "w3wp.exe",      "IIS-WebServer-Exploitation",
    InitiatingProcessFileName =~ "sqlservr.exe",  "SQLServer-Exploitation-CVE-2016-6662",
    InitiatingProcessFileName =~ "vmtoolsd.exe",  "VMware-Tools-Exploitation",
    InitiatingProcessFileName =~ "winlogon.exe",  "AuthService-Exploitation",
    "ServiceProcess-Exploitation"
)
| extend DetectionBranch = "ServiceChildExploit"
| extend ExploitContext = strcat(InitiatingProcessFileName, " -> ", FileName)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ExploitType, DetectionBranch, ExploitContext;
// Branch 2: Remote thread injection from a service process into another process
// Indicates code injection following memory corruption exploit (e.g., EternalBlue shellcode injecting into winlogon)
let RemoteThreadInject = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "CreateRemoteThreadApiCall"
| where InitiatingProcessFileName has_any (ExploitableServiceParents)
| extend ExploitType = "RemoteThreadInjection-PostServiceExploit"
| extend DetectionBranch = "RemoteThreadInjection"
| extend ExploitContext = strcat("Injector: ", InitiatingProcessFileName, " -> Target: ", FileName)
| project Timestamp, DeviceName,
         AccountName = InitiatingProcessAccountName,
         FileName,
         ProcessCommandLine = "",
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ExploitType, DetectionBranch, ExploitContext;
union ServiceChildExploit, RemoteThreadInject
| sort by Timestamp desc

Detects post-exploitation activity following successful remote service exploitation using two branches: (1) unexpected shell or tool processes (cmd.exe, powershell.exe, certutil.exe, etc.) spawned directly by network-facing or privileged service processes — the primary indicator of successful PrintNightmare (spoolsv.exe), ZeroLogon (lsass.exe), IIS CVEs (w3wp.exe), SQL Server exploitation (sqlservr.exe), and VMware tool exploits (vmtoolsd.exe); (2) remote thread injection calls originating from those same service processes, indicative of EternalBlue-style shellcode injecting into processes post-exploitation. The ExploitType field maps the parent process to the most likely vulnerability class.

critical severity medium confidence

Data Sources

Process: Process Creation Process: OS API Execution Microsoft Defender for Endpoint DeviceProcessEvents Microsoft Defender for Endpoint DeviceEvents

Required Tables

DeviceProcessEvents DeviceEvents

False Positives

Legitimate print spooler activity during driver installation may spawn msiexec.exe or rundll32.exe (spoolsv.exe -> msiexec.exe with a known printer vendor path)
SQL Server maintenance stored procedures or external scripts that invoke cmd.exe for backup/restore operations (sqlservr.exe -> cmd.exe with well-known backup tool paths)
IIS application pools running ASP.NET applications that legitimately shell out to cmd.exe for document conversion, PDF generation, or file operations (w3wp.exe -> cmd.exe in specific application pools)
VMware Tools performing guest customization or cloning operations that invoke PowerShell scripts for network configuration (vmtoolsd.exe -> powershell.exe during clone finalization)

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(EventCode=1 OR EventCode=8)
| eval NormalizedParent=coalesce(ParentImage, SourceImage)
| eval NormalizedChild=coalesce(Image, TargetImage)
| eval IsServiceChildExploit=if(
    EventCode=1 AND
    (
      NormalizedParent="*\\spoolsv.exe" OR NormalizedParent="*\\lsass.exe" OR
      NormalizedParent="*\\services.exe" OR NormalizedParent="*\\winlogon.exe" OR
      NormalizedParent="*\\w3wp.exe" OR NormalizedParent="*\\sqlservr.exe" OR
      NormalizedParent="*\\vmtoolsd.exe"
    ) AND
    (
      NormalizedChild="*\\cmd.exe" OR NormalizedChild="*\\powershell.exe" OR
      NormalizedChild="*\\pwsh.exe" OR NormalizedChild="*\\net.exe" OR
      NormalizedChild="*\\net1.exe" OR NormalizedChild="*\\whoami.exe" OR
      NormalizedChild="*\\certutil.exe" OR NormalizedChild="*\\mshta.exe" OR
      NormalizedChild="*\\wscript.exe" OR NormalizedChild="*\\cscript.exe" OR
      NormalizedChild="*\\regsvr32.exe" OR NormalizedChild="*\\rundll32.exe" OR
      NormalizedChild="*\\msiexec.exe"
    ),
    1, 0
)
| eval IsRemoteThreadInject=if(
    EventCode=8 AND
    (
      NormalizedParent="*\\spoolsv.exe" OR NormalizedParent="*\\lsass.exe" OR
      NormalizedParent="*\\services.exe" OR NormalizedParent="*\\w3wp.exe" OR
      NormalizedParent="*\\sqlservr.exe" OR NormalizedParent="*\\vmtoolsd.exe"
    ),
    1, 0
)
| where IsServiceChildExploit=1 OR IsRemoteThreadInject=1
| eval DetectionBranch=if(IsServiceChildExploit=1, "ServiceChildExploit", "RemoteThreadInjection")
| eval ExploitType=case(
    match(NormalizedParent, "spoolsv\.exe"),  "PrintSpooler-PrintNightmare",
    match(NormalizedParent, "lsass\.exe"),    "LSASS-ZeroLogon-Exploitation",
    match(NormalizedParent, "w3wp\.exe"),     "IIS-WebServer-Exploitation",
    match(NormalizedParent, "sqlservr\.exe"), "SQLServer-Exploitation",
    match(NormalizedParent, "vmtoolsd\.exe"), "VMware-Exploitation",
    match(NormalizedParent, "winlogon\.exe"), "AuthService-Exploitation",
    true(), "ServiceProcess-Exploitation"
)
| eval PostExploitIndicators=mvappend(
    if(match(lower(CommandLine), "(whoami|net user|net localgroup|hostname|ipconfig|systeminfo|nltest)"), "SystemRecon", null()),
    if(match(lower(CommandLine), "(-enc|-encodedcommand|bypass|downloadstring|invoke-expression|iex)"), "PowerShellObfuscation", null()),
    if(match(lower(NormalizedChild), "(certutil|mshta|regsvr32|rundll32)\.exe"), "LOLBinExecution", null()),
    if(match(lower(CommandLine), "(net use|copy .*\\\\\\\\|xcopy|robocopy)"), "LateralMovementCmd", null()),
    if(match(lower(CommandLine), "(net user.*\/add|localgroup.*administrators)"), "PrivilegeEscalation", null())
)
| table _time, host, User, NormalizedChild, CommandLine, NormalizedParent, ParentCommandLine, ExploitType, DetectionBranch, PostExploitIndicators
| rename NormalizedChild as ChildProcess, NormalizedParent as ParentProcess
| sort - _time

Detects post-exploitation activity following remote service exploitation using Sysmon Event ID 1 (Process Creation) and Event ID 8 (CreateRemoteThread). Normalizes ParentImage/SourceImage and Image/TargetImage fields across both event types to enable unified detection. The ExploitType field maps the exploited service to the most likely vulnerability class. The PostExploitIndicators field enriches each alert with specific post-exploitation behaviors observed in the spawned child process command line (reconnaissance commands, LOLBin usage, lateral movement, privilege escalation). Both branches fire as separate detections unified by the where clause.

critical severity medium confidence

Data Sources

Process: Process Creation Process: OS API Execution Sysmon Event ID 1 Sysmon Event ID 8

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate print spooler driver installation spawning msiexec.exe or rundll32.exe with known vendor installer paths
SQL Server maintenance jobs invoking cmd.exe for backup utility execution (verify against known backup schedules and paths)
IIS application pools shelling out to cmd.exe for document processing (ASP.NET applications calling pdfconvert, ImageMagick, etc.)
VMware Tools customization scripts invoking PowerShell during VM provisioning or clone finalization

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS host,
  username,
  "ParentProcessPath" AS parent_process,
  "ProcessPath" AS child_process,
  "CommandLine" AS command_line,
  CASE
    WHEN LOWER("ParentProcessPath") LIKE '%spoolsv.exe' THEN 'PrintSpooler-PrintNightmare-CVE-2021-1675'
    WHEN LOWER("ParentProcessPath") LIKE '%lsass.exe' THEN 'LSASS-ZeroLogon-CVE-2020-1472'
    WHEN LOWER("ParentProcessPath") LIKE '%w3wp.exe' THEN 'IIS-WebServer-Exploitation'
    WHEN LOWER("ParentProcessPath") LIKE '%sqlservr.exe' THEN 'SQLServer-Exploitation'
    WHEN LOWER("ParentProcessPath") LIKE '%vmtoolsd.exe' THEN 'VMware-Tools-Exploitation'
    WHEN LOWER("ParentProcessPath") LIKE '%winlogon.exe' THEN 'AuthService-Exploitation'
    ELSE 'ServiceProcess-Exploitation'
  END AS exploit_type,
  CASE
    WHEN QIDNAME(qid) LIKE '%Create Remote Thread%' THEN 'RemoteThreadInjection'
    ELSE 'ServiceChildExploit'
  END AS detection_branch,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  logsourceid
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (
      eventid IN (1, 4688)
      AND (
        LOWER("ParentProcessPath") LIKE '%spoolsv.exe' OR
        LOWER("ParentProcessPath") LIKE '%lsass.exe' OR
        LOWER("ParentProcessPath") LIKE '%services.exe' OR
        LOWER("ParentProcessPath") LIKE '%winlogon.exe' OR
        LOWER("ParentProcessPath") LIKE '%w3wp.exe' OR
        LOWER("ParentProcessPath") LIKE '%sqlservr.exe' OR
        LOWER("ParentProcessPath") LIKE '%vmtoolsd.exe'
      )
      AND (
        LOWER("ProcessPath") LIKE '%cmd.exe' OR
        LOWER("ProcessPath") LIKE '%powershell.exe' OR
        LOWER("ProcessPath") LIKE '%pwsh.exe' OR
        LOWER("ProcessPath") LIKE '%net.exe' OR
        LOWER("ProcessPath") LIKE '%net1.exe' OR
        LOWER("ProcessPath") LIKE '%whoami.exe' OR
        LOWER("ProcessPath") LIKE '%certutil.exe' OR
        LOWER("ProcessPath") LIKE '%mshta.exe' OR
        LOWER("ProcessPath") LIKE '%wscript.exe' OR
        LOWER("ProcessPath") LIKE '%cscript.exe' OR
        LOWER("ProcessPath") LIKE '%regsvr32.exe' OR
        LOWER("ProcessPath") LIKE '%rundll32.exe' OR
        LOWER("ProcessPath") LIKE '%msiexec.exe'
      )
    )
    OR
    (
      eventid = 8
      AND (
        LOWER("SourceImage") LIKE '%spoolsv.exe' OR
        LOWER("SourceImage") LIKE '%lsass.exe' OR
        LOWER("SourceImage") LIKE '%services.exe' OR
        LOWER("SourceImage") LIKE '%w3wp.exe' OR
        LOWER("SourceImage") LIKE '%sqlservr.exe' OR
        LOWER("SourceImage") LIKE '%vmtoolsd.exe'
      )
    )
  )
  AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC
LIMIT 500

QRadar AQL query detecting T1210 remote service exploitation via two signals ingested from Windows Security Event Log and Sysmon log sources: (1) process creation events (Sysmon EID 1 or Security EID 4688) where a known exploitable service process spawns a shell or living-off-the-land binary, and (2) Sysmon EID 8 CreateRemoteThread events sourced from privileged service processes. Exploit type classification maps parent process to specific CVE campaigns.

critical severity high confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Sysmon via Windows Event Log forwarding Microsoft Windows Sysmon DSM

Required Tables

events

False Positives

Windows Update service (TrustedInstaller via services.exe) spawning msiexec.exe or cmd.exe during legitimate patch application windows
Monitoring agents (Datadog, Dynatrace, SolarWinds) hosted in IIS worker processes (w3wp.exe) that execute diagnostic PowerShell scripts during health checks
VMware Tools update routines that briefly spawn cmd.exe from vmtoolsd.exe when applying in-guest updates or running guest customization scripts

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*
| where (%"EventID" = "1" OR %"EventID" = "4688" OR %"EventID" = "8")
| if(%"EventID" = "8", %"SourceImage", %"ParentImage") as NormalizedParent
| if(%"EventID" = "8", %"TargetImage", %"Image") as NormalizedChild
| where (
    (%"EventID" in ("1","4688") AND
      (
        NormalizedParent matches "*\\spoolsv.exe" OR
        NormalizedParent matches "*\\lsass.exe" OR
        NormalizedParent matches "*\\services.exe" OR
        NormalizedParent matches "*\\winlogon.exe" OR
        NormalizedParent matches "*\\w3wp.exe" OR
        NormalizedParent matches "*\\sqlservr.exe" OR
        NormalizedParent matches "*\\vmtoolsd.exe"
      ) AND
      (
        NormalizedChild matches "*\\cmd.exe" OR
        NormalizedChild matches "*\\powershell.exe" OR
        NormalizedChild matches "*\\pwsh.exe" OR
        NormalizedChild matches "*\\net.exe" OR
        NormalizedChild matches "*\\net1.exe" OR
        NormalizedChild matches "*\\whoami.exe" OR
        NormalizedChild matches "*\\certutil.exe" OR
        NormalizedChild matches "*\\mshta.exe" OR
        NormalizedChild matches "*\\wscript.exe" OR
        NormalizedChild matches "*\\cscript.exe" OR
        NormalizedChild matches "*\\regsvr32.exe" OR
        NormalizedChild matches "*\\rundll32.exe" OR
        NormalizedChild matches "*\\msiexec.exe"
      )
    )
    OR
    (%"EventID" = "8" AND
      (
        NormalizedParent matches "*\\spoolsv.exe" OR
        NormalizedParent matches "*\\lsass.exe" OR
        NormalizedParent matches "*\\services.exe" OR
        NormalizedParent matches "*\\w3wp.exe" OR
        NormalizedParent matches "*\\sqlservr.exe" OR
        NormalizedParent matches "*\\vmtoolsd.exe"
      )
    )
  )
| if(%"EventID" = "8", "RemoteThreadInjection", "ServiceChildExploit") as DetectionBranch
| if(NormalizedParent matches "*\\spoolsv.exe", "PrintSpooler-PrintNightmare-CVE-2021-1675",
    if(NormalizedParent matches "*\\lsass.exe", "LSASS-ZeroLogon-CVE-2020-1472",
    if(NormalizedParent matches "*\\w3wp.exe", "IIS-WebServer-Exploitation",
    if(NormalizedParent matches "*\\sqlservr.exe", "SQLServer-Exploitation",
    if(NormalizedParent matches "*\\vmtoolsd.exe", "VMware-Exploitation",
    if(NormalizedParent matches "*\\winlogon.exe", "AuthService-Exploitation",
    "ServiceProcess-Exploitation")))))) as ExploitType
| count by _messageTime, Computer, User, NormalizedParent, NormalizedChild, %"CommandLine", ExploitType, DetectionBranch
| fields - _count
| sort by _messageTime desc

Sumo Logic CSE query detecting T1210 remote service exploitation from Windows Sysmon and Security Event Log sources. Matches Sysmon EID 1 and Windows Security EID 4688 process creation events where exploitable service parent processes (Print Spooler, LSASS, IIS, SQL Server, VMware Tools) spawn shells or LOLBins, and Sysmon EID 8 CreateRemoteThread events from those same parents. Classifies each hit by exploit type based on the parent process name.

critical severity high confidence

Data Sources

Sysmon (Windows Event Forwarding) Windows Security Event Log Sumo Logic Installed Collector (Windows)

Required Tables

Windows Sysmon logs (_sourceCategory=*sysmon*) Windows Event Logs (_sourceCategory=*wineventlog*)

False Positives

Scheduled tasks that run under services.exe context and legitimately execute PowerShell or cmd.exe for automation, backup, or reporting jobs during business hours
IIS-hosted web applications (w3wp.exe) that invoke certutil.exe or msiexec.exe as part of documented certificate renewal workflows or self-updating application packages
SQL Server jobs using CmdExec step type that execute system commands via sqlservr.exe spawning cmd.exe — especially common in legacy DBA automation scripts

Google Chronicle / SecOps

yaral

rule t1210_exploitation_remote_services {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1210 - Exploitation of Remote Services. Identifies suspicious child processes spawned from exploitable Windows service executables (PrintNightmare, ZeroLogon, IIS, SQL, VMware CVEs) and CreateRemoteThread injection from service processes."
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1210"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1210/"
    version = "1.0"

  events:
    (
      // Branch 1: Service parent spawning suspicious child (process create)
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path, `(?i)(spoolsv|lsass|services|winlogon|w3wp|sqlservr|vmtoolsd)\.exe$`)
        or re.regex($e1.target.process.file.full_path, `(?i)(spoolsv|lsass|services|winlogon|w3wp|sqlservr|vmtoolsd)\.exe$`)
      )
      and re.regex($e1.target.process.file.full_path, `(?i)(cmd|powershell|pwsh|net|net1|whoami|certutil|mshta|wscript|cscript|regsvr32|rundll32|msiexec|curl|wget)\.exe$`)
    )
    or
    (
      // Branch 2: CreateRemoteThread from service process (injection)
      $e1.metadata.event_type = "INJECTED_CODE"
      and re.regex($e1.principal.process.file.full_path, `(?i)(spoolsv|lsass|services|winlogon|w3wp|sqlservr|vmtoolsd)\.exe$`)
    )

  condition:
    $e1
}

Chronicle YARA-L 2.0 rule detecting T1210 exploitation of remote services. Branch 1 uses PROCESS_LAUNCH UDM events to match process hierarchy where exploitable Windows service executables (spoolsv.exe for PrintNightmare, lsass.exe for ZeroLogon, w3wp.exe for IIS CVEs, sqlservr.exe for SQL CVEs, vmtoolsd.exe for VMware CVEs) spawn known post-exploitation shells or LOLBins. Branch 2 uses INJECTED_CODE UDM events to catch CreateRemoteThread injection from those same service parents. Regex patterns are case-insensitive to handle varied capitalization in telemetry.

critical severity high confidence

Data Sources

Google Chronicle UDM (PROCESS_LAUNCH events) Google Chronicle UDM (INJECTED_CODE events) Chronicle Forwarder with Windows Event Log / Sysmon parser CrowdStrike Falcon Chronicle integration

Required Tables

UDM Events (PROCESS_LAUNCH) UDM Events (INJECTED_CODE)

False Positives

Enterprise software management solutions (Tanium, BigFix) that deploy updates or run inventory scripts through service processes, legitimately spawning cmd.exe or PowerShell during maintenance windows
Print management software or printer driver installers that temporarily spawn shell processes from spoolsv.exe during legitimate printer driver installation or update operations
Web application frameworks (ASP.NET, Java on IIS) that use process execution for PDF generation, image processing, or external tool invocation as documented application functionality

CrowdStrike LogScale (CQL)

cql

// Branch 1: Suspicious child processes from exploitable service parents
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(spoolsv|lsass|services|winlogon|w3wp|sqlservr|vmtoolsd)\.exe$/i
| FileName = /^(cmd|powershell|pwsh|net|net1|whoami|certutil|mshta|wscript|cscript|regsvr32|rundll32|msiexec|curl|wget)\.exe$/i
| ExploitType := case {
    ParentBaseFileName = /spoolsv\.exe/i, "PrintSpooler-PrintNightmare-CVE-2021-1675" ;
    ParentBaseFileName = /lsass\.exe/i, "LSASS-ZeroLogon-CVE-2020-1472" ;
    ParentBaseFileName = /w3wp\.exe/i, "IIS-WebServer-Exploitation" ;
    ParentBaseFileName = /sqlservr\.exe/i, "SQLServer-Exploitation" ;
    ParentBaseFileName = /vmtoolsd\.exe/i, "VMware-Tools-Exploitation" ;
    ParentBaseFileName = /winlogon\.exe/i, "AuthService-Exploitation" ;
    * , "ServiceProcess-Exploitation"
  }
| DetectionBranch := "ServiceChildExploit"
| table([#timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, ExploitType, DetectionBranch])

UNION

// Branch 2: Remote thread injection from service processes
#event_simpleName=CreateRemoteThreadV5
| SourceProcessImageFileName = /^(spoolsv|lsass|services|winlogon|w3wp|sqlservr|vmtoolsd)\.exe$/i
| ExploitType := "RemoteThreadInjection-PostServiceExploit"
| DetectionBranch := "RemoteThreadInjection"
| table([#timestamp, ComputerName, UserName, SourceProcessImageFileName, TargetProcessImageFileName, TargetProcessId, ExploitType, DetectionBranch])

| sort(field=@timestamp, order=desc)

CrowdStrike LogScale CQL detection for T1210 exploitation of remote services using two branches: (1) ProcessRollup2 events filtered to cases where a known exploitable Windows service executable (spoolsv.exe, lsass.exe, services.exe, winlogon.exe, w3wp.exe, sqlservr.exe, vmtoolsd.exe) spawns shells or LOLBins as child processes — the primary signal for PrintNightmare, ZeroLogon, IIS/SQL/VMware CVE exploitation; (2) CreateRemoteThreadV5 Falcon events where injection originates from those same service parents, indicating post-exploitation shellcode execution. Results are unioned and sorted by timestamp.

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (EDR) Falcon sensor process telemetry (ProcessRollup2) Falcon sensor injection telemetry (CreateRemoteThreadV5)

Required Tables

ProcessRollup2 CreateRemoteThreadV5

False Positives

CrowdStrike Falcon sensor updates or diagnostics that temporarily manifest as service-spawned child processes on endpoints receiving sensor version upgrades
SQL Server Reporting Services (SSRS) or SQL Server Integration Services (SSIS) executing PowerShell tasks as part of legitimate ETL pipelines or scheduled report generation jobs via sqlservr.exe
VMware Tools guest customization scripts that run during VM provisioning or cloning operations, spawning cmd.exe from vmtoolsd.exe to execute sysprep-related commands

Sigma rule & cross-platform mapping

The detection logic for Exploitation of Remote Services (T1210) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1210 Sigma rules on detection.fyi

Platform-specific guides for T1210

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-19 Research depth: deep

References (10)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1EternalBlue SMB Vulnerability Scan (MS17-010 Detection)
Expected signal: Sysmon EventID 3 (Network Connection): outbound TCP connections from nmap to <target_lab_ip>:445. On the target Windows host: Security Event ID 5145 (network share access) and potentially IDS/IPS alerts on SMB probe patterns. On the scanning host: no Sysmon events (Linux), but EDR network telemetry shows port 445 probe.
Test 2ZeroLogon Vulnerability Check via Impacket (CVE-2020-1472)
Expected signal: Network connections from testing host to DC on TCP 135 (RPC endpoint mapper) and the dynamically assigned Netlogon RPC port. On the DC: Security Event ID 4742 (Computer Account Changed) if exploitation proceeds, Security Event ID 4625 (Logon Failure) for failed authentication attempts, and Netlogon EventID 5829/5827 (vulnerable Netlogon secure channel connection denied if patch is applied). Windows Defender will generate Alert: Zerologon exploitation attempt if Defender ATP is active.
Test 3PrintNightmare Exploitation via Impacket CVE-2021-1675
Expected signal: On the target host: Sysmon EventID 1 (Process Create) with ParentImage=C:\Windows\System32\spoolsv.exe spawning rundll32.exe or the payload process. Sysmon EventID 7 (Image Load) showing spoolsv.exe loading a DLL from a UNC path (\\attacker\share\nightmare.dll). Security Event ID 316 (Print Spooler: driver installation) in Microsoft-Windows-PrintService/Admin log. File creation event (Sysmon EventID 11) for the DLL written to C:\Windows\System32\spool\drivers\x64\3\.
Test 4BlueKeep RDP Vulnerability Check (CVE-2019-0708)
Expected signal: Sysmon EventID 3 (Network Connection): outbound TCP connections to <target_lab_ip>:3389. On the target: Security Event ID 4625 (Logon Failure) for the authentication probe packets. IDS/IPS alerts for RDP scan signatures. Windows Defender ATP may generate a BlueKeep vulnerability detection alert on the target host based on the probe packet signatures. On the target, Security Event ID 4625 with LogonType=3 and unusual source IP.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1210 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Exploitation of Remote Services

What is T1210 Exploitation of Remote Services?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1210

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Lateral Movement

Popular Detections

What is T1210 Exploitation of Remote Services?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1210

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Lateral Movement

Popular Detections

Get new detections in your inbox