Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0118: Exploitation of Remote Services – multi-platform lateral movement detection

DET0118 is a MITRE detection strategy for identifying lateral movement that uses exploitation of remote services. Even though the detection strategy itself...

EnterpriseDET0118Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0118 is a MITRE detection strategy for identifying lateral movement that uses exploitation of remote services. Even though the detection strategy itself has no official detection text or platform list, its linked ATT&CK technique, T1210, is material because it describes adversaries abusing vulnerabilities in internal remote services to move from one system to another across Linux, Windows, macOS, and ESXi environments.

Executive priority

Treat this as a resilience and incident-readiness question: if one internal service is compromised, can the organization quickly see and contain attempts to exploit other systems? Leaders should ask whether vulnerability management, network segmentation, asset ownership, and SOC telemetry are strong enough to prevent a single foothold from becoming broader lateral movement. This also matters for audit and compliance evidence because teams may need to show how they monitor privileged internal access paths and reduce exposure from vulnerable remote services.

Technical view

Because the official detection strategy provides no detection logic, SOC and detection engineering teams should validate coverage against the related technique T1210: exploitation of remote services for lateral movement. Confirm monitoring exists for remote service exposure and cross-host activity across the supported related platforms: Linux, Windows, macOS, and ESXi. Detection design should focus on suspicious internal connection patterns, exploitation indicators from service logs, new or unexpected code execution following remote access, and correlation with known vulnerable services from asset and vulnerability data.

Likely telemetry

  • Network flow and connection logs for internal east-west traffic
  • Remote service logs from Linux, Windows, macOS, and ESXi systems where available
  • Authentication and session logs associated with remote access attempts
  • Endpoint process, service, and command execution telemetry following remote connections
  • Vulnerability and asset inventory data identifying exposed remote services

Detection direction

  • Validate that east-west network visibility is sufficient; perimeter-only monitoring will miss much of this behavior.
  • Correlate internal remote service access with host execution telemetry and vulnerability context rather than relying on a single event type.
  • Tune for unusual source-destination pairs, unexpected administrative protocols, access to vulnerable services, and execution activity shortly after remote connections.
  • Account for false positives from legitimate administration, vulnerability scanning, patching, backup, and management tooling.
  • Use the relationship to T1210 as the basis for detection requirements because DET0118 does not include official detection logic.

Mitigation priorities

  • Prioritize inventory of internally exposed remote services and ownership of the systems that run them.
  • Patch or otherwise remediate vulnerabilities in remote services based on exposure, criticality, and lateral movement risk.
  • Limit internal reachability with segmentation and access controls so one compromised host cannot freely reach high-value services.
  • Harden remote services and remove unnecessary services where business need is absent.
  • Ensure incident response playbooks include containment steps for suspected lateral movement via service exploitation.
Analyst notes and limits

The most useful way to operationalize this object is as a coverage review prompt: can the organization connect vulnerability exposure, internal network movement, and post-connection host activity into a defensible lateral movement detection story? For Glexia-style managed detection or consulting work, the key deliverable would be evidence of telemetry coverage and tested detection assumptions, not a claim that this object alone defines a complete analytic.

The supplied DET0118 object has no official description, no official detection text, no tactics, and no platforms of its own. Platform and tactic context comes only from the relationship to T1210. Local architecture, asset inventory, vulnerability data, and logging configuration are required to determine actual exposure or detection coverage.

Official MITRE ATT&CK definition

Exploitation of Remote Services – multi-platform lateral movement detection

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1210 Exploitation of Remote Services This object detects Exploitation of Remote Services.
Relationship explorer

All related ATT&CK context

detects · Technique T1210: Exploitation of Remote Services Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
22356085e26a9aa1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 22356085e26a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0118
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use