T1190: Exploit Public-Facing Application
| View on MITRE ATT&CK | T1190 |
|---|---|
| Tactic(s) | Initial Access |
Data from MITRE ATT&CK®:
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion.
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.
Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
This cybersecurity advisory from the U.S. Federal Bureau of Investigation (FBI) and its partners, highlights the cyber espionage activities of the ...
Flax Typhoon using legitimate software to quietly access Taiwanese organizations
This blog post by Microsoft Threat Intelligence outlines the Flax Typhoon intrusion set and TTPs demonstrated by the group. It describes the actor ...
AA24-109A StopRansomware: Akira Ransomware
This is a joint #StopRansomware advisory issued by CISA and partners covering Akira ransomware attacks. According to the report, the group has ...
Connect:fun Detailing an exploitation campaign targeting FortiClient EMS via CVE-2023-48788
This report from Vedere Labs at Forescout Research details an exploitation campaign which they have designated Connect:fun. The attacks exploit ...
FamousSparrow: A suspicious hotel guest
This blog post by researchers from ESET describes the FamousSparrow APT group and associated custom backdoor 'SparrowDoor'. According to the post, ...
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
#StopRansomware: LockBit 3.0
This #StopRansomware Cybersecurity Advisory from CISA and partners describes the operations associated with LockBit 3.0 which operates as a ...
#StopRansomware: Play Ransomware
This is a Cybersecurity Advisory from CISA with US and international partners which outlines TTPs (tactics, techniques and procedures) and IoCs ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
StopRansomware: Rhysida Ransomware
This is a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and ...
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog post gives a detailed analysis of two critical vulnerabilities (CVE-2024-1708 and CVE-2024-1709) affecting ConnectWise ScreenConnect ...
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
This report from Recorded Future's Insikt Group outlines activity by the Red Hotel intrusion set. RedHotel is identified as a prominent Chinese ...
People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...
CACTUS Ransomware: Prickly New Variant Evades Detection
This report by Kroll outlines TTPs and IoCs associated with CACTUS ransomware actors.
Mitigations for this technique
MITRE ATT&CK Mitigations
Application Isolation and Sandboxing
Restrict execution of code to a virtual environment on or in transit to an endpoint system.Exploit Protection
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.Vulnerability Scanning
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Update Software
Perform regular software updates to mitigate exploitation risk.Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...How to detect this technique
MITRE ATT&CK Data Components
Application Log Content (Application Log)
Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Sigma Detections for this Technique
Ruby on Rails Framework Exceptions
Suspicious Child Process Of SQL Server
JNDIExploit Pattern
Suspicious VSFTPD Error Messages
Atlassian Confluence CVE-2022-26134
Potential Server Side Template Injection In Velocity
F5 BIG-IP iControl Rest API Command Execution - Webserver
Remote Access Tool - ScreenConnect Server Web Shell Execution
Potential Local File Read Vulnerability In JVM Based Application
Potential XXE Exploitation Attempt In JVM Based Application
Potential SpEL Injection In Spring Framework
Terminal Service Process Spawn
Apache Threading Error
Suspicious Processes Spawned by WinRM
Python SQL Exceptions
Potential RCE Exploitation Attempt In NodeJS
Suspicious SQL Error Messages
OpenCanary - FTP Login Attempt
Successful IIS Shortname Fuzzing Scan
Potential OGNL Injection Exploitation In JVM Based Application
DNS Query to External Service Interaction Domains
Apache Spark Shell Command Injection - ProcessCreation
Suspicious SQL Query
Django Framework Exceptions
F5 BIG-IP iControl Rest API Command Execution - Proxy
OpenCanary - HTTP GET Request
Hack Tool User Agent
Suspicious OpenSSH Daemon Error
OMIGOD HTTP No Authentication RCE
Path Traversal Exploitation Attempts
Spring Framework Exceptions
OpenCanary - HTTP POST Login Attempt
Suspicious MSExchangeMailboxReplication ASPX Write
Process Execution Error In JVM Based Application
Suspicious Named Error
SQL Injection Strings In URI
Java Payload Strings
OMIGOD SCX RunAsProvider ExecuteScript
Suspicious User-Agents Related To Recon Tools
OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
Potential JNDI Injection Exploitation In JVM Based Application
OMIGOD SCX RunAsProvider ExecuteShellCommand
Failed Logon From Public IP
Suspicious File Drop by Exchange
Suspicious Process By Web Server Process
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.