1. Home
  2. Techniques
  3. Exploit Public-Facing Application

Exploit Public-Facing Application

Sub-techniques (7)
ID Name
T1190.A016 EC2 Hosted Application Compromise
T1190.A019 Overly Permissive VPC Security Groups

MITRE ATT&CK Content


Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets. On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers. Depending on the flaw being exploited, this may also involve Exploitation for Defense Evasion [MITRE] or Exploitation for Client Execution [MITRE] .

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the Cloud Instance Metadata API [MITRE] ), exploit container host access via Escape to Host [MITRE] , or take advantage of weak identity and access management policies.

Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.

Detection

ID Data Source Data Component Description
DS0015 Application Log Application Log Content Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crsash. Web Application Firewalls may detect improper iputs attempting exploitation. Web Application Firewalls may detect improper inputs attempting exploitation. Web server logs (e.g., /var/log/httpd or /var/log/apache for Apache web servers on Linux) may also record evidence of exploitation.
DS0029 Network Traffic Network Traffic Content Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection strings or known payloads. For example, monitor ofr successively chained functions that adversaries commonly abuse (i.e. gadget chaining) through unsafe deserialization to exploit publicly facing application for initial access. In AWS environments, monitor VPC flow logs and/or Elastic Load Balancer (ELB) logs going to and from instances hosting externally accessible applications.

References

  1. mitre-attack
  2. CWE top 25
  3. CIS Multiple SMB Vulnerabilities
  4. Wired Russia Cyberwar
  5. Mandiant Fortinet Zero Day
  6. NVD CVE-2016-6662
  7. NVD CVE-2014-7169
  8. Cisco Blog Legacy Device Attacks
  9. OWASP Top 10
  10. US-CERT TA18-106A Network Infrastructure Devices 2018
  11. CWE top 25

Technique Information

ID: T1190
Aliases: T1190
Sub-techniques:
Tactics:
  • Initial Access
Platforms:
  • Windows
  • IaaS
  • Network
  • Linux
  • macOS
  • Containers
  • Amazon Web Services (AWS)
Created: 18 Apr 2018
Last Modified: 03 Jun 2025