Exploit Public-Facing Application T1190

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Events covered

17 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 81 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (48 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
ParentImage29ends_with 22, contains 6, eq 2, starts_with 2, wildcard 1/java, \javaw.exe, \w3wp.exe, -tomcat-, /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root
Image27ends_with 26, contains 2, eq 1, is_null 1, wildcard 1\cmd.exe, \bitsadmin.exe, \powershell.exe, \bash.exe, \certutil.exe
CommandLine21contains 20, ends_with 1, regex_match 1, starts_with 1-classpath , .payload, /c powershell, -caroot, -clp
process_name20eq 12, in 4, match 2, regex_match 2, ends_with 1cmd.exe, powershell.exe, bash.exe, powershell_ise.exe, (?i)(pwsh|powershell|cmd|curl|wget|certutil|bitsadmin|msh...
TargetFilename17contains 12, ends_with 8, in 3, starts_with 3, wildcard 1.jsp, *\\httpproxy\\oab\\*, *\\httpproxy\\owa\\auth\\*, *\\inetpub\\wwwroot\\aspnet_client\\*, .ashx
parent_process_name17eq 10, in 2, match 2, regex_match 2, contains 1(?i)Confluence.*(tomcat\d+?|java)\.exe, (?i)sqlservr\.exe, UMWorkerProcess.exe, w3wp.exe, ScreenConnect.Service.exe
EventID14eq 144688, 1, 4624, 4663, 4103
ParentCommandLine12contains 11, in 1--experimental-https, --experimental-next-config-strip-types, confluence, *--experimental-https*, *--experimental-next-config-strip-types*
event.type9eq 8, in 1start, creation, change, deletion
file_name8in 4, ends_with 3, eq 1*.ashx, *.aspx, *.asp*, .aspx, .jsp
OriginalFileName6eq 4, in 2cmd.exe, powershell.exe, powershell_ise.exe, csc.exe
prefix5eq 5src_, geo
CurrentDirectory3contains 3/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root, /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work, :\\windows\\system32\\inetsrv\\, \j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root, \j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work
Channel2eq 2, in 2
LogonType2eq 2Network

Top indicator values (678 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Imageends_with
\cmd.exe
16134
Imageends_with
\powershell.exe
14186
Imageends_with
\pwsh.exe
11172
Imageends_with
\bitsadmin.exe
729
Imageends_with
\powershell_ise.exe
742
Imageends_with
\bash.exe
522
Imageends_with
\certutil.exe
544
Imageends_with
\cscript.exe
576
Imageends_with
\sh.exe
516
Imageends_with
\wscript.exe
578
Imageends_with
\mshta.exe
469
Imageends_with
\rundll32.exe
4103
process_nameeq
cmd.exe
975
process_nameeq
powershell.exe
899
process_nameeq
pwsh.exe
760
process_nameeq
powershell_ise.exe
650
event.typeeq
start
7241
CommandLinecontains
curl
612
CommandLinecontains
whoami
512
CommandLinecontains
powershell
425
CommandLinecontains
wget
48
CommandLinecontains
bitsadmin
310
CommandLinecontains
certutil
312
CommandLinecontains
mshta
314
CommandLinecontains
python
33
EventIDeq
4688
5312
OriginalFileNameeq
cmd.exe
465
OriginalFileNameeq
powershell.exe
4121
TargetFilenameends_with
.jsp
45
file_namein
*.ashx
44

Exclusions (107 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
process_nameeq
cmd.exe
2
CommandLinecontains
-caroot
1
CommandLinecontains
-install
1
CommandLinecontains
| findstr listening
1
CommandLinecontains
/d /s /c
1
CommandLinecontains
\mkcert\
1
CommandLinecontains
admanager plus
1
CommandLinecontains
git config --local --get remote.origin.url
1
CommandLinecontains
netstat -ano | findstr /c:
1
CommandLinecontains
sc query
1
CommandLinecontains
ulimit -u
1
CommandLineends_with
Windows\system32\cmd.exe /c C:\ManageEngine\ADManager...
1
CommandLinestarts_with
"C:\Windows\system32\cmd.exe"
1
CommandLinestarts_with
/c echo
1
Imageends_with
-c
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 38 rules

Elastic 10 rules

Splunk 28 rules

Kusto 5 rules