T1428: Exploitation of Remote Services
Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device’s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.
Depending on the permissions level of the vulnerable remote service, an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.
Analyst context for executives and security teams
T1428 matters because a compromised Android or iOS device with enterprise network access can become a path into internal systems. The business issue is not only mobile malware; it is whether mobile connectivity, VPN access, and exposed internal services create lateral movement opportunities that bypass assumptions about perimeter and endpoint controls.
Executive priority
Leaders should treat this as a mobile-to-enterprise resilience question: which internal services can mobile devices reach, are those services patched, and can the organization prove through policy and telemetry that mobile access is controlled? This technique is relevant to incident decision-making because a mobile compromise may require investigation of downstream servers, workstations, VPN sessions, and vulnerable services rather than only the device itself.
Technical view
ATT&CK provides no native detection text for this technique, but it does identify Android and iOS as platforms and describes exploitation of remote enterprise services through local connectivity or VPN. SOC and IR teams should validate whether DET0663-aligned detection logic exists for mobile-originated access to internal services, especially where service scanning, vulnerable software exposure, missing patches, or suspicious access to high-value servers could precede lateral movement. Because T1428 may also lead to privilege escalation depending on the remote service permissions, investigations should correlate mobile network access with server-side exploitation indicators and privilege changes.
Likely telemetry
- VPN session records and mobile-originated internal network access logs
- Network flow, firewall, proxy, and IDS/IPS events showing mobile device connectivity to internal services
- EMM/MDM inventory, compliance state, and policy assignment records
- Server and workstation service logs for authentication, connection attempts, crashes, or exploit-like behavior
- Vulnerability and patch inventory for internal services reachable from mobile networks
Detection direction
- Confirm whether mobile device network segments and VPN address pools are included in lateral movement and exploitation monitoring.
- Tune detections for unusual mobile-originated connections to internal servers, repeated service probing, or access to services with known vulnerable or unpatched states.
- Correlate mobile telemetry with server-side logs; mobile-only visibility may miss the exploitation outcome on the target system.
- Use the related DET0663 detection strategy as a coverage anchor, but require local validation because the ATT&CK object does not provide detection logic.
- Account for false positives from legitimate administration, vulnerability scanning, and normal mobile application access to enterprise services.
Mitigation priorities
- Use enterprise mobility management/mobile device management policy controls, consistent with M1012 Enterprise Policy, to govern allowed mobile behavior and access.
- Limit mobile and VPN access to only required internal services; avoid broad reachability from mobile devices to servers and workstations.
- Prioritize patching and vulnerability management for remote services reachable from mobile networks or VPN-connected devices.
- Segment mobile-accessible networks from high-value server environments where feasible.
- Maintain incident response playbooks that expand from a suspected mobile compromise to review internal systems the device could reach.
Analyst notes and limits
The relationship context shows NotCompatible and DressCode using this technique, both described as Android malware families, but that does not imply current activity or exposure. The strongest defensive value is validating whether mobile access paths can reach vulnerable internal services and whether telemetry links mobile sessions to server-side events.
The ATT&CK object has no specified tactics and no official detection text. Control and detection recommendations therefore depend on the supplied description, the DET0663 detection-strategy relationship, and M1012 Enterprise Policy; local architecture, VPN design, service exposure, and logging coverage are required to assess real risk.
Exploitation of Remote Services
Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device’s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.
Depending on the permissions level of the vulnerable remote service, an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S0300: DressCode
S0299: NotCompatible
NotCompatible is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. [1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | f6cce09c09ee… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NIST Mobile Threat Catalogue APP-32Open source URL
-
[2]
mitre-attack T1428Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.