EXPLORE
Sign In
← Back to Explore
T1190

Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: N...

ContainersESXiIaaSLinuxmacOSNetwork DevicesWindows
208
Detections
5
Sources
42
Threat Actors

BY SOURCE

102splunk_escu46sigma42elastic17sublime1crowdstrike_cql

PROCEDURES (88)

General Monitoring19 detections

Auto-extracted: 19 detections for general monitoring

Inject11 detections

Auto-extracted: 11 detections for inject

Remote10 detections

Auto-extracted: 10 detections for remote

Suspicious7 detections

Auto-extracted: 7 detections for suspicious

Network Connection Monitoring7 detections

Auto-extracted: 7 detections for network connection monitoring

Http6 detections

Auto-extracted: 6 detections for http

Api6 detections

Auto-extracted: 6 detections for api

Privilege4 detections

Auto-extracted: 4 detections for privilege

Inject4 detections

Auto-extracted: 4 detections for inject

Bypass4 detections

Auto-extracted: 4 detections for bypass

Service4 detections

Auto-extracted: 4 detections for service

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Service4 detections

Auto-extracted: 4 detections for service

Http4 detections

Auto-extracted: 4 detections for http

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Persist3 detections

Auto-extracted: 3 detections for persist

Event Log3 detections

Auto-extracted: 3 detections for event log

Child Process3 detections

Auto-extracted: 3 detections for child process

Api3 detections

Auto-extracted: 3 detections for api

Attachment3 detections

Auto-extracted: 3 detections for attachment

Phish3 detections

Auto-extracted: 3 detections for phish

Token3 detections

Auto-extracted: 3 detections for token

Privilege3 detections

Auto-extracted: 3 detections for privilege

Oauth2 detections

Auto-extracted: 2 detections for oauth

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Powershell2 detections

Auto-extracted: 2 detections for powershell

Download2 detections

Auto-extracted: 2 detections for download

Service2 detections

Auto-extracted: 2 detections for service

Lateral2 detections

Auto-extracted: 2 detections for lateral

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Authentication Monitoring2 detections

Auto-extracted: 2 detections for authentication monitoring

Dns2 detections

Auto-extracted: 2 detections for dns

Cloud2 detections

Auto-extracted: 2 detections for cloud

Remote2 detections

Auto-extracted: 2 detections for remote

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Service2 detections

Auto-extracted: 2 detections for service

Azure2 detections

Auto-extracted: 2 detections for azure

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Remote2 detections

Auto-extracted: 2 detections for remote

Dns2 detections

Auto-extracted: 2 detections for dns

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Child Process2 detections

Auto-extracted: 2 detections for child process

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Saml1 detections

Auto-extracted: 1 detections for saml

Event Log1 detections

Auto-extracted: 1 detections for event log

Unusual1 detections

Auto-extracted: 1 detections for unusual

Http1 detections

Auto-extracted: 1 detections for http

Credential1 detections

Auto-extracted: 1 detections for credential

Unusual1 detections

Auto-extracted: 1 detections for unusual

C21 detections

Auto-extracted: 1 detections for c2

Bypass1 detections

Auto-extracted: 1 detections for bypass

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Lateral1 detections

Auto-extracted: 1 detections for lateral

Attachment1 detections

Auto-extracted: 1 detections for attachment

Cloud1 detections

Auto-extracted: 1 detections for cloud

Email1 detections

Auto-extracted: 1 detections for email

Email Security1 detections

Auto-extracted: 1 detections for email security

Lateral1 detections

Auto-extracted: 1 detections for lateral

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Powershell1 detections

Auto-extracted: 1 detections for powershell

Remote1 detections

Auto-extracted: 1 detections for remote

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Child Process1 detections

Auto-extracted: 1 detections for child process

Child Process1 detections

Auto-extracted: 1 detections for child process

Brute Force1 detections

Auto-extracted: 1 detections for brute force

Brute Force1 detections

Auto-extracted: 1 detections for brute force

Email1 detections

Auto-extracted: 1 detections for email

Credential1 detections

Auto-extracted: 1 detections for credential

Powershell1 detections

Auto-extracted: 1 detections for powershell

Credential1 detections

Auto-extracted: 1 detections for credential

Unusual1 detections

Auto-extracted: 1 detections for unusual

Dns1 detections

Auto-extracted: 1 detections for dns

Persist1 detections

Auto-extracted: 1 detections for persist

Inject1 detections

Auto-extracted: 1 detections for inject

Dns1 detections

Auto-extracted: 1 detections for dns

Http1 detections

Auto-extracted: 1 detections for http

Powershell1 detections

Auto-extracted: 1 detections for powershell

Command And Control1 detections

Auto-extracted: 1 detections for command and control

C21 detections

Auto-extracted: 1 detections for c2

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Api1 detections

Auto-extracted: 1 detections for api

Oauth1 detections

Auto-extracted: 1 detections for oauth

Http1 detections

Auto-extracted: 1 detections for http

Saml1 detections

Auto-extracted: 1 detections for saml

THREAT ACTORS (42)

AgriusAPT28APT29APT39APT41APT5AxiomBackdoorDiplomacyBlackByteBlackTechBlue MockingbirdCinnamon TempestDragonflyEarth LuscaEmber BearFIN13FIN7Fox KittenGALLIUMGOLD SOUTHFIELDHAFNIUMINC RansomKe3changKimsukyLeviathanMagic HoundMedusa GroupmenuPassMoses StaffMuddyWaterPlayRockeSalt TyphoonSandworm TeamSea TurtleStorm-0501Threat Group-3390ToddyCatUNC3886Volatile CedarVolt TyphoonWinter Vivern

DETECTIONS (208)

Accepted Default Telnet Port Connection
elasticmedium
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
splunk_escu
Adobe ColdFusion Access Control Bypass
splunk_escu
Adobe ColdFusion Unauthenticated Arbitrary File Read
splunk_escu
Anthropic Magic String in HTML
sublimelow
Apache Threading Error
sigmamedium
Attachment: Archive containing HTML file with file scheme link
sublimehigh
Attachment: Archive contains DLL-loading macro
sublimehigh
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
sublimecritical
Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability
sublimehigh
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
sublimecritical
Attachment: LNK with embedded content
sublimehigh
Attachment: WinRAR CVE-2025-8088 exploitation
sublimehigh
Attachment: ZIP file with CVE-2026-0866 exploit
sublimemedium
Callback Phishing via Signable E-Signature Request
sublimehigh
Callback phishing via SignFree e-signature request
sublimehigh
Callback phishing via Xodo Sign comment
sublimehigh
Cisco IOS XE Implant Access
splunk_escu
Cisco NVM - Webserver Download From File Sharing Website
splunk_escu
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity
splunk_escu
Cisco SD-WAN - Low Frequency Rogue Peer
splunk_escu
Cisco SD-WAN - Peering Activity
splunk_escu
Cisco Secure Firewall - High Priority Intrusion Classification
splunk_escu
Cisco Secure Firewall - Lumma Stealer Activity
splunk_escu
Cisco Secure Firewall - Oracle E-Business Suite Correlation
splunk_escu
Cisco Secure Firewall - Oracle E-Business Suite Exploitation
splunk_escu
Cisco Secure Firewall - React Server Components RCE Attempt
splunk_escu
Cisco Secure Firewall - Static Tundra Smart Install Abuse
splunk_escu
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
splunk_escu
Cisco Smart Install Oversized Packet Detection
splunk_escu
Cisco Smart Install Port Discovery and Status
splunk_escu
Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
splunk_escu
Citrix ADC and Gateway Unauthorized Data Disclosure
splunk_escu
Citrix ADC Exploitation CVE-2023-3519
splunk_escu
Citrix ShareFile Exploitation CVE-2023-24489
splunk_escu
Confluence CVE-2023-22515 Trigger Vulnerability
splunk_escu
Confluence Data Center and Server Privilege Escalation
splunk_escu
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
splunk_escu
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
splunk_escu
ConnectWise ScreenConnect Authentication Bypass
splunk_escu
ConnectWise ScreenConnect Path Traversal
splunk_escu
ConnectWise ScreenConnect Path Traversal Windows SACL
splunk_escu
CrushFTP Authentication Bypass Exploitation
splunk_escu
CrushFTP Server Side Template Injection
splunk_escu
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
sublimecritical
CVE-2025-53770 - SharePoint ToolShell
crowdstrike_cql
Detect Exchange Web Shell
splunk_escu
Detect F5 TMUI RCE CVE-2020-5902
splunk_escu
Detect Outbound LDAP Traffic
splunk_escu
Detect Zerologon via Zeek
splunk_escu
Django Framework Exceptions
sigmamedium
DNS Query to External Service Interaction Domains
sigmahigh
Exchange PowerShell Abuse via SSRF
splunk_escu
Exploit Public Facing Application via Apache Commons Text
splunk_escu
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
splunk_escu
F5 BIG-IP iControl Rest API Command Execution - Proxy
sigmamedium
F5 BIG-IP iControl Rest API Command Execution - Webserver
sigmamedium
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
splunk_escu
Failed Logon From Public IP
sigmamedium
FortiGate FortiCloud SSO Login from Unusual Source
elasticmedium
FortiGate SSO Login Followed by Administrator Account Creation
elastichigh
Fortinet Appliance Auth bypass
splunk_escu
Hack Tool User Agent
sigmahigh
HTTP Duplicated Header
splunk_escu
HTTP Rapid POST with Mixed Status Codes
splunk_escu
HTTP Request to Reserved Name on IIS Server
splunk_escu
Hunting for Log4Shell
splunk_escu
Inbound Connection to an Unsecure Elasticsearch Node
elasticmedium
Ingress/Egress Security Group Modification
sigmamedium
Initial Access via File Upload Followed by GET Request
elasticmedium
Ivanti Connect Secure Command Injection Attempts
splunk_escu
Ivanti Connect Secure SSRF in SAML Component
splunk_escu
Ivanti Connect Secure System Information Access via Auth Bypass
splunk_escu
Ivanti EPM SQL Injection Remote Code Execution
splunk_escu
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
splunk_escu
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
splunk_escu
Ivanti Sentry Authentication Bypass
splunk_escu
Ivanti VTM New Account Creation
splunk_escu
Java Class File download by Java User Agent
splunk_escu
Java Payload Strings
sigmahigh
Java Writing JSP File
splunk_escu
Jenkins Arbitrary File Read CVE-2024-23897
splunk_escu
JetBrains TeamCity Authentication Bypass CVE-2024-27198
splunk_escu
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
splunk_escu
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
splunk_escu
JetBrains TeamCity RCE Attempt
splunk_escu
JNDIExploit Pattern
sigmahigh
Juniper Networks Remote Code Execution Exploit Detection
splunk_escu
Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
sublimecritical
Linux Suspicious React or Next.js Child Process
splunk_escu
Living Off The Land Detection
splunk_escu
LoadBalancer Security Group Modification
sigmamedium
Log4Shell CVE-2021-44228 Exploitation
splunk_escu
Log4Shell JNDI Payload Injection Attempt
splunk_escu
Log4Shell JNDI Payload Injection with Outbound Connection
splunk_escu
Mass campaign: Cross Site Scripting (XSS) attempt
sublimemedium
Microsoft Exchange Server UM Spawning Suspicious Processes
elasticmedium
Microsoft Exchange Server UM Writing Suspicious Files
elasticmedium
Microsoft Exchange Worker Spawning Suspicious Processes
elastichigh
MOVEit Certificate Store Access Failure
splunk_escu
MOVEit Empty Key Fingerprint Authentication Attempt
splunk_escu
MS Exchange Mailbox Replication service writing Active Server Pages
splunk_escu
Nginx ConnectWise ScreenConnect Authentication Bypass
splunk_escu
Ollama API Accessed from External Network
elasticmedium
Ollama Possible RCE via Model Loading
splunk_escu
Ollama Suspicious Prompt Injection Jailbreak
splunk_escu
OMIGOD SCX RunAsProvider ExecuteScript
sigmahigh
OMIGOD SCX RunAsProvider ExecuteShellCommand
sigmahigh
Open redirect: City of Calgary
sublimemedium
OpenCanary - FTP Login Attempt
sigmahigh
OpenCanary - HTTP GET Request
sigmahigh
OpenCanary - HTTP POST Login Attempt
sigmahigh
Outbound Network Connection from Java Using Default Ports
splunk_escu
Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag
sublimemedium
PaperCut NG Remote Web Access Attempt
splunk_escu
PaperCut NG Suspicious Behavior Debug Log
splunk_escu
Path Traversal Exploitation Attempts
sigmamedium
Potential Buffer Overflow Attack Detected
elasticlow
Potential Code Execution via Postgresql
elasticmedium
Potential JAVA/JNDI Exploitation Attempt
elastichigh
Potential JNDI Injection Exploitation In JVM Based Application
sigmahigh
Potential Linux Hack Tool Launched
elasticmedium
Potential Local File Read Vulnerability In JVM Based Application
sigmahigh
Potential OGNL Injection Exploitation In JVM Based Application
sigmahigh
Potential RCE Exploitation Attempt In NodeJS
sigmahigh
Potential SAP NetWeaver Exploitation
elastichigh
Potential Server Side Template Injection In Velocity
sigmahigh
Potential SpEL Injection In Spring Framework
sigmahigh
Potential Telnet Authentication Bypass (CVE-2026-24061)
elasticcritical
Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation
elastichigh
Potential XXE Exploitation Attempt In JVM Based Application
sigmahigh
Process Execution Error In JVM Based Application
sigmahigh
ProxyShell ProxyNotShell Behavior Detected
splunk_escu
Python SQL Exceptions
sigmamedium
RDP (Remote Desktop Protocol) from the Internet
elasticmedium
RDS Database Security Group Modification
sigmamedium
React2Shell (CVE-2025-55182) Exploitation Attempt
elastichigh
React2Shell Network Security Alert
elastichigh
Remote Access Tool - ScreenConnect Server Web Shell Execution
sigmahigh
RPC (Remote Procedure Call) from the Internet
elastichigh
RPC (Remote Procedure Call) to the Internet
elastichigh
Ruby on Rails Framework Exceptions
sigmamedium
SAP NetWeaver Visual Composer Exploitation Attempt
splunk_escu
ScreenConnect Server Spawning Suspicious Processes
elastichigh
SMB (Windows File Sharing) Activity to the Internet
elasticmedium
Spring Framework Exceptions
sigmamedium
Spring4Shell Payload URL Request
splunk_escu
SQL Injection Strings In URI
sigmahigh
SQL Injection with Long URLs
splunk_escu
Successful IIS Shortname Fuzzing Scan
sigmamedium
Suspicious Child Execution via Web Server
elasticmedium
Suspicious Child Process Of SQL Server
sigmahigh
Suspicious File Drop by Exchange
sigmamedium
Suspicious File Write to SharePoint Layouts Directory
sigmahigh
Suspicious File Write to Webapps Root Directory
sigmamedium
Suspicious Java Classes
splunk_escu
Suspicious JetBrains TeamCity Child Process
elasticmedium
Suspicious MSExchangeMailboxReplication ASPX Write
sigmahigh
Suspicious Named Error
sigmahigh
Suspicious OpenSSH Daemon Error
sigmamedium
Suspicious Process By Web Server Process
sigmahigh
Suspicious Processes Spawned by WinRM
sigmahigh
Suspicious React Server Child Process
elastichigh
Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
elastichigh
Suspicious SQL Error Messages
sigmahigh
Suspicious SQL Query
sigmamedium
Suspicious User-Agents Related To Recon Tools
sigmamedium
Suspicious VSFTPD Error Messages
sigmamedium
Telnet Authentication Bypass via User Environment Variable
elasticcritical
Terminal Service Process Spawn
sigmahigh
Tomcat Session Deserialization Attempt
splunk_escu
Tomcat Session File Upload Attempt
splunk_escu
Unusual Child Process of dns.exe
elastichigh
Unusual Command Execution from Web Server Parent
elasticlow
Unusual Exim4 Child Process
elasticlow
Unusual File Operation by dns.exe
elasticmedium
Unusual Process Spawned from Web Server Parent
elasticlow
Unusual Web Server Command Execution
elasticmedium
VMWare Aria Operations Exploit Attempt
splunk_escu
VMware Server Side Template Injection Hunt
splunk_escu
VMware Workspace ONE Freemarker Server-side Template Injection
splunk_escu
VNC (Virtual Network Computing) from the Internet
elastichigh
Web JSP Request via URL
splunk_escu
Web or Application Server Spawning a Shell
splunk_escu
Web Remote ShellServlet Access
splunk_escu
Web Server Exploitation Detected via Defend for Containers
elastichigh
Web Server Local File Inclusion Activity
elasticlow
Web Server Potential Command Injection Request
elasticlow
Web Server Potential Remote File Inclusion Activity
elasticlow
Web Shell Detection: Script Process Child of Common Web Processes
elastichigh
Web Spring Cloud Function FunctionRouter
splunk_escu
Web Spring4Shell HTTP Request Class Module
splunk_escu
Windows Exchange Autodiscover SSRF Abuse
splunk_escu
Windows Identify PowerShell Web Access IIS Pool
splunk_escu
Windows IIS Server PSWA Console Access
splunk_escu
Windows MOVEit Transfer Writing ASPX
splunk_escu
Windows PaperCut NG Spawn Shell
splunk_escu
Windows Server Update Service Spawning Suspicious Processes
elastichigh
Windows SharePoint Spinstall0 GET Request
splunk_escu
Windows SharePoint Spinstall0 Webshell File Creation
splunk_escu