Technique on mitre.org

T1190: Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets. Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion or Exploitation for Client Execution.

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.

Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

process_chains_and_logons: PT-CR-953: Suspicious_Webserver_Process_Chain: Suspicious process start chain for web server utilities pt_application_firewall: PT-CR-639: PTAF_Alert_Detected: A PT AF rule was triggered pt_application_firewall: PT-CR-1884: PTAF_SQL_Injection_Detected: PT AF detected an attempted SQL injection attack pt_application_firewall: PT-CR-1907: PTAF_CVE_Detected: PT AF detected a vulnerability exploitation attempt pt_application_firewall: PT-CR-1882: PTAF_XSS_Attack_Detected: PT AF detected an attempted cross-site scripting (XSS) attack pt_application_firewall: PT-CR-637: PTAF_Reflected_File_Download_Detected: PT AF detected a reflected file download (RFD) attack pt_application_firewall: PT-CR-1897: PTAF_LFI_Detected: PT AF detected an attempted exploitation of the LFI vulnerability (Local File Inclusion) pt_application_firewall: PT-CR-1896: PTAF_Path_Traversal_Detected: PT AF detected an attempted Path Traversal attack postfix: PT-CR-2715: Postfix_Shellshock_On_Patched_Version: Possible exploitation of the CVE-2014-6271 (Shellshock) vulnerability in Postfix versions where this vulnerability is fixed pt_nad: PT-CR-730: NAD_CVE_On_Vulnerable_Host: PT NAD detected an attempt to exploit a vulnerability vulnerabilities: PT-CR-2431: Subrule_CVE_2024_21683_Confluence_RCE: Successful POST request to the Confluence function "Add a new language" in the "Code" macro settings section from an authenticated user. This may indicate the exploitation of vulnerability CVE-2024-21683, which allows arbitrary code to be executed on the Confluence server host. vulnerabilities: PT-CR-2455: CVE_2024_4577_PHP_CGI_RCE: Exploitation of vulnerability CVE-2024-4577 in PHP for Windows where PHP is used in CGI mode. The vulnerability allows an unauthorized attacker to remotely execute arbitrary code on a web server. At the time of developing this rule, the attack can be reproduced only in Windows operating systems with Chinese (both simplified and traditional) or Japanese languages installed. The vulnerability is due to incorrect handling of Unicode character 0xAD (soft hyphen) that is interpreted as a regular hyphen by the CGI engine. This allows attackers to specify additional command line arguments starting with a hyphen for PHP vulnerabilities: PT-CR-2064: Subrule_ActiveMQ_Connect: Connection to the Apache ActiveMQ service vulnerabilities: PT-CR-2405: CVE_2024_24919_CheckPoint_Information_Disclosure: Exploitation of the CVE-2024-24919 vulnerability that allows attackers to read any files on Check Point firewall devices without authorization. The vulnerability is in Check Point software with the IPSec VPN, Remote Access VPN, and Mobile Access blades enabled. vulnerabilities: PT-CR-2433: CVE_2024_21683_Confluence_RCE: Exploitation of vulnerability CVE-2024-21683 in Confluence. The vulnerability allows an authenticated user to download and execute arbitrary malicious code through the "Add a new language" function in the "Code" macro settings section. vulnerabilities: PT-CR-1917: CMS_1C_Bitrix_Race_Landing_Exploit: Possible exploitation of vulnerability of the landing module of the site content management system (CMS) 1C-Bitrix: Site Management vulnerabilities: PT-CR-2486: Sharepoint_Remote_Code_Execution: Exploitation of vulnerability CVE-2024-38023, CVE-2024-38024, or CVE-2024-38094 in Microsoft SharePoint Server. These vulnerabilities allow an authenticated user with site owner permissions to upload a malicious file to a target SharePoint server and execute API requests that trigger deserialization of the file parameters. By doing so, an attacker can remotely execute arbitrary code. vulnerabilities: PT-CR-1994: CVE_2023_22515_Confluence: Exploitation of CVE-2023-22515 vulnerability in Confluence related to creation of accounts with administrator rights without authentication on the server vulnerabilities: PT-CR-2065: CVE_2023_46604_ActiveMQ_RCE: Possible exploitation of vulnerability CVE-2023-46604 in Apache ActiveMQ for remote code execution vulnerabilities: PT-CR-2091: CVE_2022_26134_Confluence_RCE: Exploitation of the CVE-2022-26134 vulnerability in Confluence. This allows attackers to inject OGNL code and then remotely execute arbitrary code without authenticating to the server. vulnerabilities: PT-CR-2281: CVE_2024_23897_Jenkins_Arbitrary_File_Read: Exploitation of the CVE-2024-23897 vulnerability in Jenkins. An attacker can read an arbitrary file via the Jenkins command-line interface by adding the "@" character to the file path. vulnerabilities: PT-CR-2293: CVE_2024_27198_TeamCity_Authentication_Bypass: Exploitation of vulnerability CVE-2024-27198 in TeamCity. The vulnerability allows an attacker to bypass authentication to create a new TeamCity user with administrator permissions or access token for a user. This can be used to remotely execute commands. vulnerabilities: PT-CR-1983: Possible_CVE_2023_20198_Cisco_IOS_XE: Possible exploitation of vulnerability CVE-2023-20198 in Cisco IOS XE associated with privilege escalation by creating a new administrator account vulnerabilities: PT-CR-2247: CVE_2023_27350_PaperCut_Authentication_Bypass: Suspicious process start chain for PaperCut NG/MF application. This may indicate exploitation of the CVE-2023-27350 vulnerability and malicious code execution using the built-in PaperCut NG/MF functionality: printing scripts and integration with third-party tools for authorization mitre_attck_execution: PT-CR-649: Suspicious_Child_From_Webserver_Process: A user started a process from a parent web server process mitre_attck_execution: PT-CR-645: Recon_Via_Webserver_Process: A user started a process from a parent process network_devices_abnormal_activity: PT-CR-475: Smart_Install_Usage: Possible vulnerability exploitation in Cisco Smart Install dnsmasq: PT-CR-2228: Dnsmasq_External_Service_Interaction_Domain_Detection: Suspicious DNS requests to external service interaction domains that are often used for out-of-band communication after successful RCE network_devices_compromise: PT-CR-575: Smart_Install_Exploitation_Tool_Usage: Use of Smart Install Exploitation Tool is detected network_devices_compromise: PT-CR-576: CheckPoint_SmartConsole_Connection: A connection with the CheckPoint SmartConsole utility from an untrusted host is detected network_devices_compromise: PT-CR-571: Cisco_IOS_Change_Config_By_SNMP: A configuration file was modified from an untrusted host on a device microsoft_exchange: PT-CR-1476: Exchange_ProxyNotShell: The ProxyNotShell vulnerability from the Metasploit package was exploited bind: PT-CR-2185: BIND_External_Service_Interaction_Domain_Detection: A request for DNS parameters for external service interaction domains. Attackers use such requests for out-of-band communications. unix_mitre_attck_initial_access: PT-CR-288: Unix_Suspicious_Activity_By_Web_User: Local OS reconnaissance on behalf of a web service

Detection

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection strings or known payloads. For example, monitor for successively chained functions that adversaries commonly abuse (i.e. gadget chaining) through unsafe deserialization to exploit publicly facing applications for initial access.

IDDS0015Data source and componentApplication Log: Application Log ContentDescription

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.

Mitigation

IDM1016NameVulnerability ScanningDescription

Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.

IDM1026NamePrivileged Account ManagementDescription

Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system.

IDM1030NameNetwork SegmentationDescription

Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.

IDM1048NameApplication Isolation and SandboxingDescription

Application isolation will limit what other processes and system features the exploited target can access.

IDM1050NameExploit ProtectionDescription

Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.

IDM1051NameUpdate SoftwareDescription

Update software regularly by employing patch management for externally exposed applications.