MITRE ATT&CK Technique
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources. There are several well-known vulnerabilities that exist in common services such as SMB(Citation: CIS Multiple SMB Vulnerabilities) and RDP(Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL(Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Additionally, there have been a number of vulnerabilities in VMware vCenter installations, which may enable threat actors to move laterally from the compromised vCenter server to virtual machines or even to ESXi hypervisors.(Citation: Broadcom VMSA-2024-0019) Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-04-18T17:59:24.739Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may exploit remote services to gain unauthorized '
'access to internal systems once inside of a network. '
'Exploitation of a software vulnerability occurs when an '
'adversary takes advantage of a programming error in a '
'program, service, or within the operating system software or '
'kernel itself to execute adversary-controlled code.\xa0A '
'common goal for post-compromise exploitation of remote '
'services is for lateral movement to enable access to a remote '
'system.\n'
'\n'
'An adversary may need to determine if the remote system is in '
'a vulnerable state, which may be done through [Network '
'Service Discovery](https://attack.mitre.org/techniques/T1046) '
'or other Discovery methods looking for common, vulnerable '
'software that may be deployed in the network, the lack of '
'certain patches that may indicate vulnerabilities, or '
'security software that may be used to detect or contain '
'remote exploitation. Servers are likely a high value target '
'for lateral movement exploitation, but endpoint systems may '
'also be at risk if they provide an advantage or access to '
'additional resources.\n'
'\n'
'There are several well-known vulnerabilities that exist in '
'common services such as SMB(Citation: CIS Multiple SMB '
'Vulnerabilities) and RDP(Citation: NVD CVE-2017-0176) as well '
'as applications that may be used within internal networks '
'such as MySQL(Citation: NVD CVE-2016-6662) and web server '
'services.(Citation: NVD CVE-2014-7169)(Citation: Ars Technica '
'VMWare Code Execution Vulnerability 2021) Additionally, there '
'have been a number of vulnerabilities in VMware vCenter '
'installations, which may enable threat actors to move '
'laterally from the compromised vCenter server to virtual '
'machines or even to ESXi hypervisors.(Citation: Broadcom '
'VMSA-2024-0019)\n'
'\n'
'Depending on the permissions level of the vulnerable remote '
'service an adversary may achieve [Exploitation for Privilege '
'Escalation](https://attack.mitre.org/techniques/T1068) as a '
'result of lateral movement exploitation as well.',
'external_references': [{'external_id': 'T1210',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1210'},
{'description': 'Broadcom. (2024, September 17). '
'VMSA-2024-0019: Questions & Answers. '
'Retrieved April 8, 2025.',
'source_name': 'Broadcom VMSA-2024-0019',
'url': 'https://github.com/vmware/vcf-security-and-compliance-guidelines/blob/main/security-advisories/vmsa-2024-0019/README.md'},
{'description': 'CIS. (2017, May 15). Multiple '
'Vulnerabilities in Microsoft Windows '
'SMB Server Could Allow for Remote '
'Code Execution. Retrieved April 3, '
'2018.',
'source_name': 'CIS Multiple SMB Vulnerabilities',
'url': 'https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/'},
{'description': 'Dan Goodin . (2021, February 25). '
'Code-execution flaw in VMware has a '
'severity rating of 9.8 out of 10. '
'Retrieved April 8, 2025.',
'source_name': 'Ars Technica VMWare Code Execution '
'Vulnerability 2021',
'url': 'https://arstechnica.com/information-technology/2021/02/armed-with-exploits-hackers-on-the-prowl-for-a-critical-vmware-vulnerability/'},
{'description': 'National Vulnerability Database. '
'(2017, February 2). CVE-2016-6662 '
'Detail. Retrieved April 3, 2018.',
'source_name': 'NVD CVE-2016-6662',
'url': 'https://nvd.nist.gov/vuln/detail/CVE-2016-6662'},
{'description': 'National Vulnerability Database. '
'(2017, June 22). CVE-2017-0176 '
'Detail. Retrieved April 3, 2018.',
'source_name': 'NVD CVE-2017-0176',
'url': 'https://nvd.nist.gov/vuln/detail/CVE-2017-0176'},
{'description': 'National Vulnerability Database. '
'(2017, September 24). CVE-2014-7169 '
'Detail. Retrieved April 3, 2018.',
'source_name': 'NVD CVE-2014-7169',
'url': 'https://nvd.nist.gov/vuln/detail/CVE-2014-7169'}],
'id': 'attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'lateral-movement'}],
'modified': '2025-10-24T17:49:09.112Z',
'name': 'Exploitation of Remote Services',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['ExtraHop'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'Windows', 'macOS', 'ESXi'],
'x_mitre_version': '1.2'}