Detect Exploitation of Remote Services in IBM QRadar
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation occurs when an adversary takes advantage of a programming error in a program, service, or OS kernel to execute adversary-controlled code. Common targets include SMB (EternalBlue/MS17-010 — used by WannaCry, NotPetya, Emotet, QakBot, Bad Rabbit, APT28, Ember Bear), RDP (BlueKeep CVE-2019-0708 — used by InvisiMole, Fox Kitten), Active Directory Netlogon (ZeroLogon CVE-2020-1472 — used by Wizard Spider, Earth Lusca), Windows Print Spooler (PrintNightmare CVE-2021-1675/CVE-2021-34527 — used in ransomware operations), and VMware vCenter (VMSA-2024-0019 — ESXi hypervisor takeover). Post-exploitation typically manifests as unexpected child processes spawned from the exploited service (e.g., spoolsv.exe spawning cmd.exe), remote thread injection into privileged processes, or new services installed via SMB pipes. Successful exploitation may yield SYSTEM-level access, enabling further lateral movement, credential theft, or ransomware deployment.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1210 Exploitation of Remote Services
- Canonical reference
- https://attack.mitre.org/techniques/T1210/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
devicehostname AS host,
username,
"ParentProcessPath" AS parent_process,
"ProcessPath" AS child_process,
"CommandLine" AS command_line,
CASE
WHEN LOWER("ParentProcessPath") LIKE '%spoolsv.exe' THEN 'PrintSpooler-PrintNightmare-CVE-2021-1675'
WHEN LOWER("ParentProcessPath") LIKE '%lsass.exe' THEN 'LSASS-ZeroLogon-CVE-2020-1472'
WHEN LOWER("ParentProcessPath") LIKE '%w3wp.exe' THEN 'IIS-WebServer-Exploitation'
WHEN LOWER("ParentProcessPath") LIKE '%sqlservr.exe' THEN 'SQLServer-Exploitation'
WHEN LOWER("ParentProcessPath") LIKE '%vmtoolsd.exe' THEN 'VMware-Tools-Exploitation'
WHEN LOWER("ParentProcessPath") LIKE '%winlogon.exe' THEN 'AuthService-Exploitation'
ELSE 'ServiceProcess-Exploitation'
END AS exploit_type,
CASE
WHEN QIDNAME(qid) LIKE '%Create Remote Thread%' THEN 'RemoteThreadInjection'
ELSE 'ServiceChildExploit'
END AS detection_branch,
LOGSOURCETYPENAME(logsourceid) AS log_source_type,
logsourceid
FROM events
WHERE
LOGSOURCETYPENAME(logsourceid) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND (
(
eventid IN (1, 4688)
AND (
LOWER("ParentProcessPath") LIKE '%spoolsv.exe' OR
LOWER("ParentProcessPath") LIKE '%lsass.exe' OR
LOWER("ParentProcessPath") LIKE '%services.exe' OR
LOWER("ParentProcessPath") LIKE '%winlogon.exe' OR
LOWER("ParentProcessPath") LIKE '%w3wp.exe' OR
LOWER("ParentProcessPath") LIKE '%sqlservr.exe' OR
LOWER("ParentProcessPath") LIKE '%vmtoolsd.exe'
)
AND (
LOWER("ProcessPath") LIKE '%cmd.exe' OR
LOWER("ProcessPath") LIKE '%powershell.exe' OR
LOWER("ProcessPath") LIKE '%pwsh.exe' OR
LOWER("ProcessPath") LIKE '%net.exe' OR
LOWER("ProcessPath") LIKE '%net1.exe' OR
LOWER("ProcessPath") LIKE '%whoami.exe' OR
LOWER("ProcessPath") LIKE '%certutil.exe' OR
LOWER("ProcessPath") LIKE '%mshta.exe' OR
LOWER("ProcessPath") LIKE '%wscript.exe' OR
LOWER("ProcessPath") LIKE '%cscript.exe' OR
LOWER("ProcessPath") LIKE '%regsvr32.exe' OR
LOWER("ProcessPath") LIKE '%rundll32.exe' OR
LOWER("ProcessPath") LIKE '%msiexec.exe'
)
)
OR
(
eventid = 8
AND (
LOWER("SourceImage") LIKE '%spoolsv.exe' OR
LOWER("SourceImage") LIKE '%lsass.exe' OR
LOWER("SourceImage") LIKE '%services.exe' OR
LOWER("SourceImage") LIKE '%w3wp.exe' OR
LOWER("SourceImage") LIKE '%sqlservr.exe' OR
LOWER("SourceImage") LIKE '%vmtoolsd.exe'
)
)
)
AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC
LIMIT 500QRadar AQL query detecting T1210 remote service exploitation via two signals ingested from Windows Security Event Log and Sysmon log sources: (1) process creation events (Sysmon EID 1 or Security EID 4688) where a known exploitable service process spawns a shell or living-off-the-land binary, and (2) Sysmon EID 8 CreateRemoteThread events sourced from privileged service processes. Exploit type classification maps parent process to specific CVE campaigns.
Data Sources
Required Tables
False Positives & Tuning
- Windows Update service (TrustedInstaller via services.exe) spawning msiexec.exe or cmd.exe during legitimate patch application windows
- Monitoring agents (Datadog, Dynatrace, SolarWinds) hosted in IIS worker processes (w3wp.exe) that execute diagnostic PowerShell scripts during health checks
- VMware Tools update routines that briefly spawn cmd.exe from vmtoolsd.exe when applying in-guest updates or running guest customization scripts
Other platforms for T1210
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1EternalBlue SMB Vulnerability Scan (MS17-010 Detection)
Expected signal: Sysmon EventID 3 (Network Connection): outbound TCP connections from nmap to <target_lab_ip>:445. On the target Windows host: Security Event ID 5145 (network share access) and potentially IDS/IPS alerts on SMB probe patterns. On the scanning host: no Sysmon events (Linux), but EDR network telemetry shows port 445 probe.
- Test 2ZeroLogon Vulnerability Check via Impacket (CVE-2020-1472)
Expected signal: Network connections from testing host to DC on TCP 135 (RPC endpoint mapper) and the dynamically assigned Netlogon RPC port. On the DC: Security Event ID 4742 (Computer Account Changed) if exploitation proceeds, Security Event ID 4625 (Logon Failure) for failed authentication attempts, and Netlogon EventID 5829/5827 (vulnerable Netlogon secure channel connection denied if patch is applied). Windows Defender will generate Alert: Zerologon exploitation attempt if Defender ATP is active.
- Test 3PrintNightmare Exploitation via Impacket CVE-2021-1675
Expected signal: On the target host: Sysmon EventID 1 (Process Create) with ParentImage=C:\Windows\System32\spoolsv.exe spawning rundll32.exe or the payload process. Sysmon EventID 7 (Image Load) showing spoolsv.exe loading a DLL from a UNC path (\\attacker\share\nightmare.dll). Security Event ID 316 (Print Spooler: driver installation) in Microsoft-Windows-PrintService/Admin log. File creation event (Sysmon EventID 11) for the DLL written to C:\Windows\System32\spool\drivers\x64\3\.
- Test 4BlueKeep RDP Vulnerability Check (CVE-2019-0708)
Expected signal: Sysmon EventID 3 (Network Connection): outbound TCP connections to <target_lab_ip>:3389. On the target: Security Event ID 4625 (Logon Failure) for the authentication probe packets. IDS/IPS alerts for RDP scan signatures. Windows Defender ATP may generate a BlueKeep vulnerability detection alert on the target host based on the probe packet signatures. On the target, Security Event ID 4625 with LogonType=3 and unusual source IP.
References (12)
- https://attack.mitre.org/techniques/T1210/
- https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/
- https://nvd.nist.gov/vuln/detail/CVE-2017-0144
- https://nvd.nist.gov/vuln/detail/CVE-2019-0708
- https://nvd.nist.gov/vuln/detail/CVE-2020-1472
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
- https://github.com/vmware/vcf-security-and-compliance-guidelines/blob/main/security-advisories/vmsa-2024-0019/README.md
- https://nvd.nist.gov/vuln/detail/CVE-2016-6662
- https://github.com/SecureAuthCorp/impacket
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1210/T1210.md
- https://www.microsoft.com/en-us/security/blog/2020/09/16/understanding-the-zerologon-vulnerability-cve-2020-1472/
- https://msrc.microsoft.com/blog/2021/07/microsoft-security-update-guide-for-printnightmare/
Unlock Pro Content
Get the full detection package for T1210 including response playbook, investigation guide, and atomic red team tests.