T0866: Exploitation of Remote Services
Essential information
- MITRE technique ID
T0866- Confidence
- 100/100
- Revoked
- No
- Published
- 21/05/2020 19:43
- Modified
- 27/03/2026 01:44
- Author / Source
- The MITRE Corporation
Description
Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)
ICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (wormable) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts. (Citation: Joe Slowik April 2019)
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-ics-attack | initial-access |
| mitre-ics-attack | lateral-movement |
Marking (TLP)
Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.