Exploit Public-Facing Application T1190
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Events covered
17 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 81 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (48 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (678 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (107 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 38 rules
- Apache Spark Shell Command Injection - ProcessCreation
- Atlassian Confluence CVE-2022-26134
- Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- CVE-2024-50623 Exploitation Attempt - Cleo
- DNS RCE CVE-2020-1350
- Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
- Exploited CVE-2020-10189 Zoho ManageEngine
- Failed Logon From Public IP
- Linux Suspicious Child Process from Node.js - React2Shell
- LPE InstallerFileTakeOver PoC CVE-2021-41379
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
- Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
- Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
- Potential CVE-2022-26809 Exploitation Attempt
- Potential Exploitation Attempt Of Undocumented WindowsServer RCE
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
- Potential Exploitation of GoAnywhere MFT Vulnerability
- Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
- Potential SAP NetWeaver Webshell Creation
- Potential SAP NetWeaver Webshell Creation - Linux
- Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
- Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
- Remote Access Tool - ScreenConnect Server Web Shell Execution
- Suspicious Child Process of SAP NetWeaver
- Suspicious Child Process of SAP NetWeaver - Linux
- Suspicious Child Process of SolarWinds WebHelpDesk
- Suspicious Child Process Of SQL Server
- Suspicious CrushFTP Child Process
- Suspicious File Drop by Exchange
- Suspicious File Write to SharePoint Layouts Directory
- Suspicious File Write to Webapps Root Directory
- Suspicious MSExchangeMailboxReplication ASPX Write
- Suspicious Process By Web Server Process
- Suspicious Processes Spawned by WinRM
- Terminal Service Process Spawn
- Windows Suspicious Child Process from Node.js - React2Shell
Elastic 10 rules
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Microsoft Exchange Server UM Writing Suspicious Files
- Microsoft Exchange Worker Spawning Suspicious Processes
- ScreenConnect Server Spawning Suspicious Processes
- Suspicious JetBrains TeamCity Child Process
- Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
- Unusual Child Process of dns.exe
- Unusual File Operation by dns.exe
- Unusual Process For MSSQL Service Accounts
- Windows Server Update Service Spawning Suspicious Processes
Splunk 28 rules
- ConnectWise ScreenConnect Path Traversal
- ConnectWise ScreenConnect Path Traversal Windows SACL
- Detect Exchange Web Shell
- Microsoft SQL Server Suspicious Child Process - Windows (Sysmon)
- Microsoft SQL Server Suspicious Child Process - Windows (Windows Event Log)
- MS Exchange Mailbox Replication service writing Active Server Pages
- Outbound Network Connection from Java Using Default Ports
- Potential Exposed SMB_RDP Port - Windows (Windows Event Log)
- Potential SMB Activity from External IP - Windows (Windows Event Log)
- Suspicious Confluence Child Process - Windows (Sysmon)
- Suspicious Confluence Child Process - Windows (Windows Event Log)
- Web or Application Server Spawning a Shell
- WebLogic CVE-2017-10271 (PowerShell)
- WebLogic CVE-2017-10271 (Sysmon)
- WebLogic CVE-2017-10271 (Windows Event Log)
- Windows Identify PowerShell Web Access IIS Pool
- Windows Metasploit Confluence Plugin Execution
- Windows MOVEit Transfer Writing ASPX
- Windows PaperCut NG Spawn Shell
- Windows SharePoint Spinstall0 Webshell File Creation
- Windows Shell or Script Execution From IIS Directory
- Windows Shell Process from CrushFTP
- Windows Suspicious React or Next.js Child Process
- Windows TeamCity Payload Execution from Temp Directory
- Windows TeamCity Plugin Installed
- Windows Unusual File Creation in Confluence Directory
- Windows WSUS Spawning Shell
- WinRM Spawning a Process
Kusto 5 rules
- AV detections related to SpringShell Vulnerability
- Exchange OAB Virtual Directory Attribute Containing Potential Webshell
- Identify SysAid Server web shell creation
- Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory
- Silk Typhoon New UM Service Child Process