T1210 Microsoft Sentinel · KQL

Detect Exploitation of Remote Services in Microsoft Sentinel

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation occurs when an adversary takes advantage of a programming error in a program, service, or OS kernel to execute adversary-controlled code. Common targets include SMB (EternalBlue/MS17-010 — used by WannaCry, NotPetya, Emotet, QakBot, Bad Rabbit, APT28, Ember Bear), RDP (BlueKeep CVE-2019-0708 — used by InvisiMole, Fox Kitten), Active Directory Netlogon (ZeroLogon CVE-2020-1472 — used by Wizard Spider, Earth Lusca), Windows Print Spooler (PrintNightmare CVE-2021-1675/CVE-2021-34527 — used in ransomware operations), and VMware vCenter (VMSA-2024-0019 — ESXi hypervisor takeover). Post-exploitation typically manifests as unexpected child processes spawned from the exploited service (e.g., spoolsv.exe spawning cmd.exe), remote thread injection into privileged processes, or new services installed via SMB pipes. Successful exploitation may yield SYSTEM-level access, enabling further lateral movement, credential theft, or ransomware deployment.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1210 Exploitation of Remote Services
Canonical reference
https://attack.mitre.org/techniques/T1210/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let ExploitableServiceParents = dynamic([
    "spoolsv.exe",
    "lsass.exe",
    "services.exe",
    "winlogon.exe",
    "w3wp.exe",
    "sqlservr.exe",
    "vmtoolsd.exe"
]);
let SuspiciousChildProcesses = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe",
    "net.exe", "net1.exe", "whoami.exe",
    "certutil.exe", "mshta.exe", "wscript.exe", "cscript.exe",
    "regsvr32.exe", "rundll32.exe", "msiexec.exe", "curl.exe", "wget.exe"
]);
// Branch 1: Unexpected shell or tool spawned directly from a network-facing or privileged service process
// This is the most reliable indicator of successful remote exploitation (PrintNightmare, ZeroLogon, SQL CVEs, VMware CVEs)
let ServiceChildExploit = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (ExploitableServiceParents)
| where FileName has_any (SuspiciousChildProcesses)
| extend ExploitType = case(
    InitiatingProcessFileName =~ "spoolsv.exe",   "PrintSpooler-PrintNightmare-CVE-2021-1675",
    InitiatingProcessFileName =~ "lsass.exe",     "LSASS-ZeroLogon-CVE-2020-1472",
    InitiatingProcessFileName =~ "w3wp.exe",      "IIS-WebServer-Exploitation",
    InitiatingProcessFileName =~ "sqlservr.exe",  "SQLServer-Exploitation-CVE-2016-6662",
    InitiatingProcessFileName =~ "vmtoolsd.exe",  "VMware-Tools-Exploitation",
    InitiatingProcessFileName =~ "winlogon.exe",  "AuthService-Exploitation",
    "ServiceProcess-Exploitation"
)
| extend DetectionBranch = "ServiceChildExploit"
| extend ExploitContext = strcat(InitiatingProcessFileName, " -> ", FileName)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ExploitType, DetectionBranch, ExploitContext;
// Branch 2: Remote thread injection from a service process into another process
// Indicates code injection following memory corruption exploit (e.g., EternalBlue shellcode injecting into winlogon)
let RemoteThreadInject = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "CreateRemoteThreadApiCall"
| where InitiatingProcessFileName has_any (ExploitableServiceParents)
| extend ExploitType = "RemoteThreadInjection-PostServiceExploit"
| extend DetectionBranch = "RemoteThreadInjection"
| extend ExploitContext = strcat("Injector: ", InitiatingProcessFileName, " -> Target: ", FileName)
| project Timestamp, DeviceName,
         AccountName = InitiatingProcessAccountName,
         FileName,
         ProcessCommandLine = "",
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ExploitType, DetectionBranch, ExploitContext;
union ServiceChildExploit, RemoteThreadInject
| sort by Timestamp desc
critical severity medium confidence

Detects post-exploitation activity following successful remote service exploitation using two branches: (1) unexpected shell or tool processes (cmd.exe, powershell.exe, certutil.exe, etc.) spawned directly by network-facing or privileged service processes — the primary indicator of successful PrintNightmare (spoolsv.exe), ZeroLogon (lsass.exe), IIS CVEs (w3wp.exe), SQL Server exploitation (sqlservr.exe), and VMware tool exploits (vmtoolsd.exe); (2) remote thread injection calls originating from those same service processes, indicative of EternalBlue-style shellcode injecting into processes post-exploitation. The ExploitType field maps the parent process to the most likely vulnerability class.

Data Sources

Process: Process CreationProcess: OS API ExecutionMicrosoft Defender for Endpoint DeviceProcessEventsMicrosoft Defender for Endpoint DeviceEvents

Required Tables

DeviceProcessEventsDeviceEvents

False Positives & Tuning

  • Legitimate print spooler activity during driver installation may spawn msiexec.exe or rundll32.exe (spoolsv.exe -> msiexec.exe with a known printer vendor path)
  • SQL Server maintenance stored procedures or external scripts that invoke cmd.exe for backup/restore operations (sqlservr.exe -> cmd.exe with well-known backup tool paths)
  • IIS application pools running ASP.NET applications that legitimately shell out to cmd.exe for document conversion, PDF generation, or file operations (w3wp.exe -> cmd.exe in specific application pools)
  • VMware Tools performing guest customization or cloning operations that invoke PowerShell scripts for network configuration (vmtoolsd.exe -> powershell.exe during clone finalization)
Download portable Sigma rule (.yml)

Other platforms for T1210

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1EternalBlue SMB Vulnerability Scan (MS17-010 Detection)

    Expected signal: Sysmon EventID 3 (Network Connection): outbound TCP connections from nmap to <target_lab_ip>:445. On the target Windows host: Security Event ID 5145 (network share access) and potentially IDS/IPS alerts on SMB probe patterns. On the scanning host: no Sysmon events (Linux), but EDR network telemetry shows port 445 probe.

  2. Test 2ZeroLogon Vulnerability Check via Impacket (CVE-2020-1472)

    Expected signal: Network connections from testing host to DC on TCP 135 (RPC endpoint mapper) and the dynamically assigned Netlogon RPC port. On the DC: Security Event ID 4742 (Computer Account Changed) if exploitation proceeds, Security Event ID 4625 (Logon Failure) for failed authentication attempts, and Netlogon EventID 5829/5827 (vulnerable Netlogon secure channel connection denied if patch is applied). Windows Defender will generate Alert: Zerologon exploitation attempt if Defender ATP is active.

  3. Test 3PrintNightmare Exploitation via Impacket CVE-2021-1675

    Expected signal: On the target host: Sysmon EventID 1 (Process Create) with ParentImage=C:\Windows\System32\spoolsv.exe spawning rundll32.exe or the payload process. Sysmon EventID 7 (Image Load) showing spoolsv.exe loading a DLL from a UNC path (\\attacker\share\nightmare.dll). Security Event ID 316 (Print Spooler: driver installation) in Microsoft-Windows-PrintService/Admin log. File creation event (Sysmon EventID 11) for the DLL written to C:\Windows\System32\spool\drivers\x64\3\.

  4. Test 4BlueKeep RDP Vulnerability Check (CVE-2019-0708)

    Expected signal: Sysmon EventID 3 (Network Connection): outbound TCP connections to <target_lab_ip>:3389. On the target: Security Event ID 4625 (Logon Failure) for the authentication probe packets. IDS/IPS alerts for RDP scan signatures. Windows Defender ATP may generate a BlueKeep vulnerability detection alert on the target host based on the probe packet signatures. On the target, Security Event ID 4625 with LogonType=3 and unusual source IP.

Last updated: 2026-04-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1210 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1046Network Service DiscoveryT1068Exploitation for Privilege EscalationT1021.002SMB/Windows Admin SharesT1021.001Remote Desktop ProtocolT1543.003Windows ServiceT1003.001LSASS MemoryT1105Ingress Tool TransferT1570Lateral Tool TransferT1190Exploit Public-Facing Application

Same Tactic: Lateral Movement

Popular Detections