detection.wiki

ATT&CK coverage › Technique

Exploit Public-Facing Application T1190

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Events covered

9 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon3Network connection
Sysmon11FileCreate
Security-Auditing4625An account failed to log on.
Security-Auditing4648A logon was attempted using explicit credentials.
Security-Auditing4663An attempt was made to access an object.
Security-Auditing4688A new process has been created.
Security-Auditing5136A directory service object was modified.
Defender-DeviceInfo9008000Device inventory snapshot

Authoring guide

Patterns shared across the 24 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (15 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
TargetFilename10ends_with 4, eq 4, match 2, in 2, starts_with 1.vbs, .jsp, "*\\ScreenConnect\\App_Extensions\\*", "*\\HttpProxy\\OAB\\*", "*\\HttpProxy\\owa\\auth\\*"
Image9ends_with 9, eq 1, is_null 1\wsl.exe, \w3wp.exe, \pwsh.exe, \csc.exe, \cmd.exe
file_name6in 4, eq 2"*.ashx", "*.aspx", "*.asp*", "spinstall0.aspx"
ParentImage4ends_with 4, starts_with 1, match 1\ScreenConnect.Service.exe, \sqlservr.exe, C:\Program Files\Microsoft SQL Server\, DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe, \ws_TomcatService.exe
process_name4eq 2, in 2*\\ScreenConnect.Service.exe, MSExchangeMailboxReplication.exe, "java.exe", "javaw.exe", "sh.exe"
EventID3eq 35136, 4663, 4624, 4625, 4648
CommandLine3match 2, starts_with 1, ends_with 1"C:\Windows\system32\cmd.exe" , MSExchange, Windows\system32\cmd.exe /c C:\ManageEngine\ADManager..., sc query, ADManager Plus
ParentCommandLine2match 2catalina.jar, CATALINA_HOME, catalina.home, \svchost.exe, termsvcs
ObjectClass1eq 1msExchOABVirtualDirectory
AttributeValue1match 1script
AttributeLDAPDisplayName1in 1msExchExternalHostName, msExchInternalHostName
src_ip1match 1, cidr_match 110.0.0.0/8, -, ::1/128
DestinationPort1in 1389, 1099, 636
parent_process_name1in 1"nginx.exe", "httpd", "java.exe"
user1eq 1"pswa_pool"

Top indicator values (181 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Imageends_with\cmd.exe592
Imageends_with\powershell.exe4143
Imageends_with\pwsh.exe4140
file_namein"*.ashx"44
Imageends_with\bash.exe317
Imageends_with\sh.exe313
Imageends_with\bitsadmin.exe323
TargetFilenameends_with.aspx35
Imageends_with\w3wp.exe36
TargetFilenameends_with.asp34
file_namein"*.aspx"33
Imageends_with\nltest.exe29
Imageends_with\rundll32.exe276
Imageends_with\wsl.exe28
TargetFilenameends_with.ashx23
TargetFilenameends_with.ps1215
TargetFilenameends_with.bat215
TargetFilenameends_with.vbs216
TargetFilenameends_with.jsp22
Imageends_with\powershell_ise.exe227

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 10 rules

Splunk 9 rules

Kusto Query Language 5 rules