title: Exploitation of Remote Services (T1210)
id: df00tech-t1210
status: experimental
description: "Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation occurs when an adversary takes advantage of a programming error in a program, service, or OS kernel to execute adversary-controlled code. Common targets include SMB (EternalBlue/MS17-010 — used by WannaCry, NotPetya, Emotet, QakBot, Bad Rabbit, APT28, Ember Bear), RDP (BlueKeep CVE-2019-0708 — used by InvisiMole, Fox Kitten), Active Directory Netlogon (ZeroLogon CVE-2020-1472 — used by Wizard Spider, Earth Lusca), Windows Print Spooler (PrintNightmare CVE-2021-1675/CVE-2021-34527 — used in ransomware operations), and VMware vCenter (VMSA-2024-0019 — ESXi hypervisor takeover). Post-exploitation typically manifests as unexpected child processes spawned from the exploited service (e.g., spoolsv.exe spawning cmd.exe), remote thread injection into privileged processes, or new services installed via SMB pipes. Successful exploitation may yield SYSTEM-level access, enabling further lateral movement, credential theft, or ransomware deployment."
references:
  - https://attack.mitre.org/techniques/T1210/
  - https://df00tech.com/detections/T1210
author: df00tech
date: 2026/04/19
tags:
  - attack.t1210
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate print spooler activity during driver installation may spawn msiexec.exe or rundll32.exe (spoolsv.exe -> msiexec.exe with a known printer vendor path)"
  - "SQL Server maintenance stored procedures or external scripts that invoke cmd.exe for backup/restore operations (sqlservr.exe -> cmd.exe with well-known backup tool paths)"
  - "IIS application pools running ASP.NET applications that legitimately shell out to cmd.exe for document conversion, PDF generation, or file operations (w3wp.exe -> cmd.exe in specific application pools)"
  - "VMware Tools performing guest customization or cloning operations that invoke PowerShell scripts for network configuration (vmtoolsd.exe -> powershell.exe during clone finalization)"
level: critical