T1210

Exploitation of Remote Services

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation occurs when an adversary takes advantage of a programming error in a program, service, or OS kernel to execute adversary-controlled code. Common targets include SMB (EternalBlue/MS17-010 — used by WannaCry, NotPetya, Emotet, QakBot, Bad Rabbit, APT28, Ember Bear), RDP (BlueKeep CVE-2019-0708 — used by InvisiMole, Fox Kitten), Active Directory Netlogon (ZeroLogon CVE-2020-1472 — used by Wizard Spider, Earth Lusca), Windows Print Spooler (PrintNightmare CVE-2021-1675/CVE-2021-34527 — used in ransomware operations), and VMware vCenter (VMSA-2024-0019 — ESXi hypervisor takeover). Post-exploitation typically manifests as unexpected child processes spawned from the exploited service (e.g., spoolsv.exe spawning cmd.exe), remote thread injection into privileged processes, or new services installed via SMB pipes. Successful exploitation may yield SYSTEM-level access, enabling further lateral movement, credential theft, or ransomware deployment.

Microsoft Sentinel / Defender

kusto

let ExploitableServiceParents = dynamic([
    "spoolsv.exe",
    "lsass.exe",
    "services.exe",
    "winlogon.exe",
    "w3wp.exe",
    "sqlservr.exe",
    "vmtoolsd.exe"
]);
let SuspiciousChildProcesses = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe",
    "net.exe", "net1.exe", "whoami.exe",
    "certutil.exe", "mshta.exe", "wscript.exe", "cscript.exe",
    "regsvr32.exe", "rundll32.exe", "msiexec.exe", "curl.exe", "wget.exe"
]);
// Branch 1: Unexpected shell or tool spawned directly from a network-facing or privileged service process
// This is the most reliable indicator of successful remote exploitation (PrintNightmare, ZeroLogon, SQL CVEs, VMware CVEs)
let ServiceChildExploit = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (ExploitableServiceParents)
| where FileName has_any (SuspiciousChildProcesses)
| extend ExploitType = case(
    InitiatingProcessFileName =~ "spoolsv.exe",   "PrintSpooler-PrintNightmare-CVE-2021-1675",
    InitiatingProcessFileName =~ "lsass.exe",     "LSASS-ZeroLogon-CVE-2020-1472",
    InitiatingProcessFileName =~ "w3wp.exe",      "IIS-WebServer-Exploitation",
    InitiatingProcessFileName =~ "sqlservr.exe",  "SQLServer-Exploitation-CVE-2016-6662",
    InitiatingProcessFileName =~ "vmtoolsd.exe",  "VMware-Tools-Exploitation",
    InitiatingProcessFileName =~ "winlogon.exe",  "AuthService-Exploitation",
    "ServiceProcess-Exploitation"
)
| extend DetectionBranch = "ServiceChildExploit"
| extend ExploitContext = strcat(InitiatingProcessFileName, " -> ", FileName)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ExploitType, DetectionBranch, ExploitContext;
// Branch 2: Remote thread injection from a service process into another process
// Indicates code injection following memory corruption exploit (e.g., EternalBlue shellcode injecting into winlogon)
let RemoteThreadInject = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "CreateRemoteThreadApiCall"
| where InitiatingProcessFileName has_any (ExploitableServiceParents)
| extend ExploitType = "RemoteThreadInjection-PostServiceExploit"
| extend DetectionBranch = "RemoteThreadInjection"
| extend ExploitContext = strcat("Injector: ", InitiatingProcessFileName, " -> Target: ", FileName)
| project Timestamp, DeviceName,
         AccountName = InitiatingProcessAccountName,
         FileName,
         ProcessCommandLine = "",
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ExploitType, DetectionBranch, ExploitContext;
union ServiceChildExploit, RemoteThreadInject
| sort by Timestamp desc

critical severity medium confidence

Data Sources

Process: Process Creation Process: OS API Execution Microsoft Defender for Endpoint DeviceProcessEvents Microsoft Defender for Endpoint DeviceEvents

Required Tables

DeviceProcessEvents DeviceEvents

False Positives

Legitimate print spooler activity during driver installation may spawn msiexec.exe or rundll32.exe (spoolsv.exe -> msiexec.exe with a known printer vendor path)
SQL Server maintenance stored procedures or external scripts that invoke cmd.exe for backup/restore operations (sqlservr.exe -> cmd.exe with well-known backup tool paths)
IIS application pools running ASP.NET applications that legitimately shell out to cmd.exe for document conversion, PDF generation, or file operations (w3wp.exe -> cmd.exe in specific application pools)
VMware Tools performing guest customization or cloning operations that invoke PowerShell scripts for network configuration (vmtoolsd.exe -> powershell.exe during clone finalization)

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(EventCode=1 OR EventCode=8)
| eval NormalizedParent=coalesce(ParentImage, SourceImage)
| eval NormalizedChild=coalesce(Image, TargetImage)
| eval IsServiceChildExploit=if(
    EventCode=1 AND
    (
      NormalizedParent="*\\spoolsv.exe" OR NormalizedParent="*\\lsass.exe" OR
      NormalizedParent="*\\services.exe" OR NormalizedParent="*\\winlogon.exe" OR
      NormalizedParent="*\\w3wp.exe" OR NormalizedParent="*\\sqlservr.exe" OR
      NormalizedParent="*\\vmtoolsd.exe"
    ) AND
    (
      NormalizedChild="*\\cmd.exe" OR NormalizedChild="*\\powershell.exe" OR
      NormalizedChild="*\\pwsh.exe" OR NormalizedChild="*\\net.exe" OR
      NormalizedChild="*\\net1.exe" OR NormalizedChild="*\\whoami.exe" OR
      NormalizedChild="*\\certutil.exe" OR NormalizedChild="*\\mshta.exe" OR
      NormalizedChild="*\\wscript.exe" OR NormalizedChild="*\\cscript.exe" OR
      NormalizedChild="*\\regsvr32.exe" OR NormalizedChild="*\\rundll32.exe" OR
      NormalizedChild="*\\msiexec.exe"
    ),
    1, 0
)
| eval IsRemoteThreadInject=if(
    EventCode=8 AND
    (
      NormalizedParent="*\\spoolsv.exe" OR NormalizedParent="*\\lsass.exe" OR
      NormalizedParent="*\\services.exe" OR NormalizedParent="*\\w3wp.exe" OR
      NormalizedParent="*\\sqlservr.exe" OR NormalizedParent="*\\vmtoolsd.exe"
    ),
    1, 0
)
| where IsServiceChildExploit=1 OR IsRemoteThreadInject=1
| eval DetectionBranch=if(IsServiceChildExploit=1, "ServiceChildExploit", "RemoteThreadInjection")
| eval ExploitType=case(
    match(NormalizedParent, "spoolsv\.exe"),  "PrintSpooler-PrintNightmare",
    match(NormalizedParent, "lsass\.exe"),    "LSASS-ZeroLogon-Exploitation",
    match(NormalizedParent, "w3wp\.exe"),     "IIS-WebServer-Exploitation",
    match(NormalizedParent, "sqlservr\.exe"), "SQLServer-Exploitation",
    match(NormalizedParent, "vmtoolsd\.exe"), "VMware-Exploitation",
    match(NormalizedParent, "winlogon\.exe"), "AuthService-Exploitation",
    true(), "ServiceProcess-Exploitation"
)
| eval PostExploitIndicators=mvappend(
    if(match(lower(CommandLine), "(whoami|net user|net localgroup|hostname|ipconfig|systeminfo|nltest)"), "SystemRecon", null()),
    if(match(lower(CommandLine), "(-enc|-encodedcommand|bypass|downloadstring|invoke-expression|iex)"), "PowerShellObfuscation", null()),
    if(match(lower(NormalizedChild), "(certutil|mshta|regsvr32|rundll32)\.exe"), "LOLBinExecution", null()),
    if(match(lower(CommandLine), "(net use|copy .*\\\\\\\\|xcopy|robocopy)"), "LateralMovementCmd", null()),
    if(match(lower(CommandLine), "(net user.*\/add|localgroup.*administrators)"), "PrivilegeEscalation", null())
)
| table _time, host, User, NormalizedChild, CommandLine, NormalizedParent, ParentCommandLine, ExploitType, DetectionBranch, PostExploitIndicators
| rename NormalizedChild as ChildProcess, NormalizedParent as ParentProcess
| sort - _time

critical severity medium confidence

Data Sources

Process: Process Creation Process: OS API Execution Sysmon Event ID 1 Sysmon Event ID 8

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate print spooler driver installation spawning msiexec.exe or rundll32.exe with known vendor installer paths
SQL Server maintenance jobs invoking cmd.exe for backup utility execution (verify against known backup schedules and paths)
IIS application pools shelling out to cmd.exe for document processing (ASP.NET applications calling pdfconvert, ImageMagick, etc.)
VMware Tools customization scripts invoking PowerShell during VM provisioning or clone finalization

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS host,
  username,
  "ParentProcessPath" AS parent_process,
  "ProcessPath" AS child_process,
  "CommandLine" AS command_line,
  CASE
    WHEN LOWER("ParentProcessPath") LIKE '%spoolsv.exe' THEN 'PrintSpooler-PrintNightmare-CVE-2021-1675'
    WHEN LOWER("ParentProcessPath") LIKE '%lsass.exe' THEN 'LSASS-ZeroLogon-CVE-2020-1472'
    WHEN LOWER("ParentProcessPath") LIKE '%w3wp.exe' THEN 'IIS-WebServer-Exploitation'
    WHEN LOWER("ParentProcessPath") LIKE '%sqlservr.exe' THEN 'SQLServer-Exploitation'
    WHEN LOWER("ParentProcessPath") LIKE '%vmtoolsd.exe' THEN 'VMware-Tools-Exploitation'
    WHEN LOWER("ParentProcessPath") LIKE '%winlogon.exe' THEN 'AuthService-Exploitation'
    ELSE 'ServiceProcess-Exploitation'
  END AS exploit_type,
  CASE
    WHEN QIDNAME(qid) LIKE '%Create Remote Thread%' THEN 'RemoteThreadInjection'
    ELSE 'ServiceChildExploit'
  END AS detection_branch,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  logsourceid
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (
      eventid IN (1, 4688)
      AND (
        LOWER("ParentProcessPath") LIKE '%spoolsv.exe' OR
        LOWER("ParentProcessPath") LIKE '%lsass.exe' OR
        LOWER("ParentProcessPath") LIKE '%services.exe' OR
        LOWER("ParentProcessPath") LIKE '%winlogon.exe' OR
        LOWER("ParentProcessPath") LIKE '%w3wp.exe' OR
        LOWER("ParentProcessPath") LIKE '%sqlservr.exe' OR
        LOWER("ParentProcessPath") LIKE '%vmtoolsd.exe'
      )
      AND (
        LOWER("ProcessPath") LIKE '%cmd.exe' OR
        LOWER("ProcessPath") LIKE '%powershell.exe' OR
        LOWER("ProcessPath") LIKE '%pwsh.exe' OR
        LOWER("ProcessPath") LIKE '%net.exe' OR
        LOWER("ProcessPath") LIKE '%net1.exe' OR
        LOWER("ProcessPath") LIKE '%whoami.exe' OR
        LOWER("ProcessPath") LIKE '%certutil.exe' OR
        LOWER("ProcessPath") LIKE '%mshta.exe' OR
        LOWER("ProcessPath") LIKE '%wscript.exe' OR
        LOWER("ProcessPath") LIKE '%cscript.exe' OR
        LOWER("ProcessPath") LIKE '%regsvr32.exe' OR
        LOWER("ProcessPath") LIKE '%rundll32.exe' OR
        LOWER("ProcessPath") LIKE '%msiexec.exe'
      )
    )
    OR
    (
      eventid = 8
      AND (
        LOWER("SourceImage") LIKE '%spoolsv.exe' OR
        LOWER("SourceImage") LIKE '%lsass.exe' OR
        LOWER("SourceImage") LIKE '%services.exe' OR
        LOWER("SourceImage") LIKE '%w3wp.exe' OR
        LOWER("SourceImage") LIKE '%sqlservr.exe' OR
        LOWER("SourceImage") LIKE '%vmtoolsd.exe'
      )
    )
  )
  AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC
LIMIT 500

critical severity high confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Sysmon via Windows Event Log forwarding Microsoft Windows Sysmon DSM

Required Tables

events

False Positives

Windows Update service (TrustedInstaller via services.exe) spawning msiexec.exe or cmd.exe during legitimate patch application windows
Monitoring agents (Datadog, Dynatrace, SolarWinds) hosted in IIS worker processes (w3wp.exe) that execute diagnostic PowerShell scripts during health checks
VMware Tools update routines that briefly spawn cmd.exe from vmtoolsd.exe when applying in-guest updates or running guest customization scripts

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*
| where (%"EventID" = "1" OR %"EventID" = "4688" OR %"EventID" = "8")
| if(%"EventID" = "8", %"SourceImage", %"ParentImage") as NormalizedParent
| if(%"EventID" = "8", %"TargetImage", %"Image") as NormalizedChild
| where (
    (%"EventID" in ("1","4688") AND
      (
        NormalizedParent matches "*\\spoolsv.exe" OR
        NormalizedParent matches "*\\lsass.exe" OR
        NormalizedParent matches "*\\services.exe" OR
        NormalizedParent matches "*\\winlogon.exe" OR
        NormalizedParent matches "*\\w3wp.exe" OR
        NormalizedParent matches "*\\sqlservr.exe" OR
        NormalizedParent matches "*\\vmtoolsd.exe"
      ) AND
      (
        NormalizedChild matches "*\\cmd.exe" OR
        NormalizedChild matches "*\\powershell.exe" OR
        NormalizedChild matches "*\\pwsh.exe" OR
        NormalizedChild matches "*\\net.exe" OR
        NormalizedChild matches "*\\net1.exe" OR
        NormalizedChild matches "*\\whoami.exe" OR
        NormalizedChild matches "*\\certutil.exe" OR
        NormalizedChild matches "*\\mshta.exe" OR
        NormalizedChild matches "*\\wscript.exe" OR
        NormalizedChild matches "*\\cscript.exe" OR
        NormalizedChild matches "*\\regsvr32.exe" OR
        NormalizedChild matches "*\\rundll32.exe" OR
        NormalizedChild matches "*\\msiexec.exe"
      )
    )
    OR
    (%"EventID" = "8" AND
      (
        NormalizedParent matches "*\\spoolsv.exe" OR
        NormalizedParent matches "*\\lsass.exe" OR
        NormalizedParent matches "*\\services.exe" OR
        NormalizedParent matches "*\\w3wp.exe" OR
        NormalizedParent matches "*\\sqlservr.exe" OR
        NormalizedParent matches "*\\vmtoolsd.exe"
      )
    )
  )
| if(%"EventID" = "8", "RemoteThreadInjection", "ServiceChildExploit") as DetectionBranch
| if(NormalizedParent matches "*\\spoolsv.exe", "PrintSpooler-PrintNightmare-CVE-2021-1675",
    if(NormalizedParent matches "*\\lsass.exe", "LSASS-ZeroLogon-CVE-2020-1472",
    if(NormalizedParent matches "*\\w3wp.exe", "IIS-WebServer-Exploitation",
    if(NormalizedParent matches "*\\sqlservr.exe", "SQLServer-Exploitation",
    if(NormalizedParent matches "*\\vmtoolsd.exe", "VMware-Exploitation",
    if(NormalizedParent matches "*\\winlogon.exe", "AuthService-Exploitation",
    "ServiceProcess-Exploitation")))))) as ExploitType
| count by _messageTime, Computer, User, NormalizedParent, NormalizedChild, %"CommandLine", ExploitType, DetectionBranch
| fields - _count
| sort by _messageTime desc

critical severity high confidence

Data Sources

Sysmon (Windows Event Forwarding) Windows Security Event Log Sumo Logic Installed Collector (Windows)

Required Tables

Windows Sysmon logs (_sourceCategory=*sysmon*) Windows Event Logs (_sourceCategory=*wineventlog*)

False Positives

Scheduled tasks that run under services.exe context and legitimately execute PowerShell or cmd.exe for automation, backup, or reporting jobs during business hours
IIS-hosted web applications (w3wp.exe) that invoke certutil.exe or msiexec.exe as part of documented certificate renewal workflows or self-updating application packages
SQL Server jobs using CmdExec step type that execute system commands via sqlservr.exe spawning cmd.exe — especially common in legacy DBA automation scripts

Google Chronicle / SecOps

yaral

rule t1210_exploitation_remote_services {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1210 - Exploitation of Remote Services. Identifies suspicious child processes spawned from exploitable Windows service executables (PrintNightmare, ZeroLogon, IIS, SQL, VMware CVEs) and CreateRemoteThread injection from service processes."
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1210"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1210/"
    version = "1.0"

  events:
    (
      // Branch 1: Service parent spawning suspicious child (process create)
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path, `(?i)(spoolsv|lsass|services|winlogon|w3wp|sqlservr|vmtoolsd)\.exe$`)
        or re.regex($e1.target.process.file.full_path, `(?i)(spoolsv|lsass|services|winlogon|w3wp|sqlservr|vmtoolsd)\.exe$`)
      )
      and re.regex($e1.target.process.file.full_path, `(?i)(cmd|powershell|pwsh|net|net1|whoami|certutil|mshta|wscript|cscript|regsvr32|rundll32|msiexec|curl|wget)\.exe$`)
    )
    or
    (
      // Branch 2: CreateRemoteThread from service process (injection)
      $e1.metadata.event_type = "INJECTED_CODE"
      and re.regex($e1.principal.process.file.full_path, `(?i)(spoolsv|lsass|services|winlogon|w3wp|sqlservr|vmtoolsd)\.exe$`)
    )

  condition:
    $e1
}

critical severity high confidence

Data Sources

Google Chronicle UDM (PROCESS_LAUNCH events) Google Chronicle UDM (INJECTED_CODE events) Chronicle Forwarder with Windows Event Log / Sysmon parser CrowdStrike Falcon Chronicle integration

Required Tables

UDM Events (PROCESS_LAUNCH) UDM Events (INJECTED_CODE)

False Positives

Enterprise software management solutions (Tanium, BigFix) that deploy updates or run inventory scripts through service processes, legitimately spawning cmd.exe or PowerShell during maintenance windows
Print management software or printer driver installers that temporarily spawn shell processes from spoolsv.exe during legitimate printer driver installation or update operations
Web application frameworks (ASP.NET, Java on IIS) that use process execution for PDF generation, image processing, or external tool invocation as documented application functionality

CrowdStrike LogScale (CQL)

cql

// Branch 1: Suspicious child processes from exploitable service parents
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(spoolsv|lsass|services|winlogon|w3wp|sqlservr|vmtoolsd)\.exe$/i
| FileName = /^(cmd|powershell|pwsh|net|net1|whoami|certutil|mshta|wscript|cscript|regsvr32|rundll32|msiexec|curl|wget)\.exe$/i
| ExploitType := case {
    ParentBaseFileName = /spoolsv\.exe/i, "PrintSpooler-PrintNightmare-CVE-2021-1675" ;
    ParentBaseFileName = /lsass\.exe/i, "LSASS-ZeroLogon-CVE-2020-1472" ;
    ParentBaseFileName = /w3wp\.exe/i, "IIS-WebServer-Exploitation" ;
    ParentBaseFileName = /sqlservr\.exe/i, "SQLServer-Exploitation" ;
    ParentBaseFileName = /vmtoolsd\.exe/i, "VMware-Tools-Exploitation" ;
    ParentBaseFileName = /winlogon\.exe/i, "AuthService-Exploitation" ;
    * , "ServiceProcess-Exploitation"
  }
| DetectionBranch := "ServiceChildExploit"
| table([#timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, ExploitType, DetectionBranch])

UNION

// Branch 2: Remote thread injection from service processes
#event_simpleName=CreateRemoteThreadV5
| SourceProcessImageFileName = /^(spoolsv|lsass|services|winlogon|w3wp|sqlservr|vmtoolsd)\.exe$/i
| ExploitType := "RemoteThreadInjection-PostServiceExploit"
| DetectionBranch := "RemoteThreadInjection"
| table([#timestamp, ComputerName, UserName, SourceProcessImageFileName, TargetProcessImageFileName, TargetProcessId, ExploitType, DetectionBranch])

| sort(field=@timestamp, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (EDR) Falcon sensor process telemetry (ProcessRollup2) Falcon sensor injection telemetry (CreateRemoteThreadV5)

Required Tables

ProcessRollup2 CreateRemoteThreadV5

False Positives

CrowdStrike Falcon sensor updates or diagnostics that temporarily manifest as service-spawned child processes on endpoints receiving sensor version upgrades
SQL Server Reporting Services (SSRS) or SQL Server Integration Services (SSIS) executing PowerShell tasks as part of legitimate ETL pipelines or scheduled report generation jobs via sqlservr.exe
VMware Tools guest customization scripts that run during VM provisioning or cloning operations, spawning cmd.exe from vmtoolsd.exe to execute sysprep-related commands

Last updated: 2026-04-19 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1210 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Exploitation of Remote Services

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Lateral Movement

Popular Detections