Esc
Exploitation of Remote Services - T1210
(ATT&CK® Technique)
Definition
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1210["Exploitation of Remote Services"] --> |may-modify| ProcessSegment["Process Segment"]; class T1210 OffensiveTechniqueNode;
class ProcessSegment ArtifactNode; click ProcessSegment href "/dao/artifact/d3f:ProcessSegment";
click T1210 href "/offensive-technique/attack/T1210/"; click ProcessSegment href "/dao/artifact/d3f:ProcessSegment"; T1210["Exploitation of Remote Services"] --> |may-modify| StackFrame["Stack Frame"]; class T1210 OffensiveTechniqueNode;
class StackFrame ArtifactNode; click StackFrame href "/dao/artifact/d3f:StackFrame";
click T1210 href "/offensive-technique/attack/T1210/"; click StackFrame href "/dao/artifact/d3f:StackFrame"; T1210["Exploitation of Remote Services"] --> |produces| IntranetNetworkTraffic["Intranet Network Traffic"]; class T1210 OffensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode; click IntranetNetworkTraffic href "/dao/artifact/d3f:IntranetNetworkTraffic";
click T1210 href "/offensive-technique/attack/T1210/"; click IntranetNetworkTraffic href "/dao/artifact/d3f:IntranetNetworkTraffic"; T1210["Exploitation of Remote Services"] --> |may-modify| ProcessCodeSegment["Process Code Segment"]; class T1210 OffensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode; click ProcessCodeSegment href "/dao/artifact/d3f:ProcessCodeSegment";
click T1210 href "/offensive-technique/attack/T1210/"; click ProcessCodeSegment href "/dao/artifact/d3f:ProcessCodeSegment"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1210["Exploitation of Remote Services"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1210["Exploitation of Remote Services"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1210["Exploitation of Remote Services"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
| may-detect | T1210["Exploitation of Remote Services"] ;
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1210["Exploitation of Remote Services"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -->
| obfuscates | ProcessSegment["Process Segment"];
SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -.->
| may-harden | T1210["Exploitation of Remote Services"] ;
class SegmentAddressOffsetRandomization DefensiveTechniqueNode;
class ProcessSegment ArtifactNode;
click SegmentAddressOffsetRandomization href "/technique/d3f:SegmentAddressOffsetRandomization"; SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -->
| obfuscates | ProcessCodeSegment["Process Code Segment"];
class SegmentAddressOffsetRandomization DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click SegmentAddressOffsetRandomization href "/technique/d3f:SegmentAddressOffsetRandomization"; StackFrameCanaryValidation["Stack Frame Canary Validation"] -->
| validates | StackFrame["Stack Frame"];
StackFrameCanaryValidation["Stack Frame Canary Validation"] -.->
| may-harden | T1210["Exploitation of Remote Services"] ;
class StackFrameCanaryValidation DefensiveTechniqueNode;
class StackFrame ArtifactNode;
click StackFrameCanaryValidation href "/technique/d3f:StackFrameCanaryValidation"; ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -->
| neutralizes | ProcessCodeSegment["Process Code Segment"];
ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -.->
| may-harden | T1210["Exploitation of Remote Services"] ;
class ProcessSegmentExecutionPrevention DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click ProcessSegmentExecutionPrevention href "/technique/d3f:ProcessSegmentExecutionPrevention"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1210["Exploitation of Remote Services"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1210["Exploitation of Remote Services"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1210["Exploitation of Remote Services"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ShadowStackComparisons["Shadow Stack Comparisons"] -->
| analyzes | StackFrame["Stack Frame"];
ShadowStackComparisons["Shadow Stack Comparisons"] -.->
| may-detect | T1210["Exploitation of Remote Services"] ;
class ShadowStackComparisons DefensiveTechniqueNode;
class StackFrame ArtifactNode;
click ShadowStackComparisons href "/technique/d3f:ShadowStackComparisons"; ProcessCodeSegmentVerification["Process Code Segment Verification"] -->
| verifies | ProcessCodeSegment["Process Code Segment"];
ProcessCodeSegmentVerification["Process Code Segment Verification"] -.->
| may-detect | T1210["Exploitation of Remote Services"] ;
class ProcessCodeSegmentVerification DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click ProcessCodeSegmentVerification href "/technique/d3f:ProcessCodeSegmentVerification"; ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -->
| neutralizes | ProcessSegment["Process Segment"];
class ProcessSegmentExecutionPrevention DefensiveTechniqueNode;
class ProcessSegment ArtifactNode;
click ProcessSegmentExecutionPrevention href "/technique/d3f:ProcessSegmentExecutionPrevention"; MemoryBoundaryTracking["Memory Boundary Tracking"] -->
| analyzes | ProcessCodeSegment["Process Code Segment"];
MemoryBoundaryTracking["Memory Boundary Tracking"] -.->
| may-detect | T1210["Exploitation of Remote Services"] ;
class MemoryBoundaryTracking DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click MemoryBoundaryTracking href "/technique/d3f:MemoryBoundaryTracking"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetNetworkTraffic["Intranet Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1210["Exploitation of Remote Services"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";