T1190 Exploit Public-Facing Application Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let WebServerProcesses = dynamic(["w3wp.exe", "httpd.exe", "nginx.exe", "apache2.exe", "java.exe", "python.exe", "python3.exe", "php.exe", "php-cgi.exe", "node.exe", "ruby.exe", "perl.exe", "tomcat9.exe", "tomcat8.exe", "ews.exe", "umworkerprocess.exe", "msexchangeservicehost.exe"]);
let SuspiciousChildProcesses = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe", "nc.exe", "ncat.exe", "net.exe", "net1.exe", "whoami.exe", "ipconfig.exe", "systeminfo.exe", "nltest.exe", "ping.exe", "nslookup.exe", "tasklist.exe", "quser.exe", "schtasks.exe", "at.exe", "sc.exe", "reg.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (WebServerProcesses)
| where FileName in~ (SuspiciousChildProcesses)
| extend ExploitEvidence = case(
    FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe"), "Shell Spawned",
    FileName in~ ("certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe", "nc.exe", "ncat.exe"), "Download/C2 Tool",
    FileName in~ ("whoami.exe", "ipconfig.exe", "systeminfo.exe", "nltest.exe", "net.exe", "net1.exe", "tasklist.exe", "quser.exe"), "Reconnaissance",
    FileName in~ ("schtasks.exe", "at.exe", "sc.exe", "reg.exe"), "Persistence Attempt",
    "Suspicious Child"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName,
         ExploitEvidence, SHA256
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate web application frameworks that invoke system utilities as part of normal operation — e.g., Node.js applications using child_process.exec() for image processing, PDF generation, or video transcoding
Application deployment automation where IIS app pools or Java application servers execute build tools, packaging scripts, or health check commands as part of CI/CD pipelines
Exchange Hybrid Configuration Wizard and other Microsoft management tools that run Exchange worker processes spawning PowerShell for legitimate configuration and maintenance tasks
Application Performance Monitoring (APM) and diagnostic agents (Dynatrace, AppDynamics, New Relic) that fork child processes for JVM or CLR diagnostics from within the web server process context
DevOps tooling such as Octopus Deploy, TeamCity agents, or Ansible running under an IIS-hosted application pool identity to execute deployment scripts

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImageLower=lower(ParentImage)
| eval ChildImageLower=lower(Image)
| where match(ParentImageLower, "(w3wp\.exe|httpd\.exe|nginx\.exe|apache2\.exe|java\.exe|python\.exe|python3\.exe|php\.exe|php-cgi\.exe|node\.exe|ruby\.exe|perl\.exe|tomcat[0-9]*\.exe|ews\.exe|umworkerprocess\.exe|msexchangeservicehost\.exe)")
| where match(ChildImageLower, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe|nc\.exe|ncat\.exe|net\.exe|net1\.exe|whoami\.exe|ipconfig\.exe|systeminfo\.exe|nltest\.exe|ping\.exe|nslookup\.exe|tasklist\.exe|schtasks\.exe|at\.exe|sc\.exe|reg\.exe)")
| eval ExploitEvidence=case(
    match(ChildImageLower, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe)"), "Shell Spawned",
    match(ChildImageLower, "(certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe|nc\.exe|ncat\.exe)"), "Download/C2 Tool",
    match(ChildImageLower, "(whoami\.exe|ipconfig\.exe|systeminfo\.exe|nltest\.exe|net\.exe|net1\.exe|tasklist\.exe)"), "Reconnaissance",
    match(ChildImageLower, "(schtasks\.exe|at\.exe|sc\.exe|reg\.exe)"), "Persistence Attempt",
    true(), "Suspicious Child"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, ExploitEvidence
| sort - _time

critical severity high confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate web application frameworks that invoke system utilities as part of normal operation — e.g., Node.js applications using child_process.exec() for image processing, PDF generation, or video transcoding
Application deployment automation where IIS app pools or Java application servers execute build tools, packaging scripts, or health check commands as part of CI/CD pipelines
Exchange Hybrid Configuration Wizard and other Microsoft management tools that run Exchange worker processes spawning PowerShell for legitimate configuration and maintenance tasks
Application Performance Monitoring (APM) and diagnostic agents (Dynatrace, AppDynamics, New Relic) that fork child processes for JVM or CLR diagnostics from within the web server process context
DevOps tooling such as Octopus Deploy, TeamCity agents, or Ansible running under an IIS-hosted application pool identity to execute deployment scripts

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "apache2.exe", "java.exe", "python.exe", "python3.exe", "php.exe", "php-cgi.exe", "node.exe", "ruby.exe", "perl.exe", "tomcat9.exe", "tomcat8.exe", "ews.exe", "umworkerprocess.exe", "msexchangeservicehost.exe") and
  process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe", "nc.exe", "ncat.exe", "net.exe", "net1.exe", "whoami.exe", "ipconfig.exe", "systeminfo.exe", "nltest.exe", "ping.exe", "nslookup.exe", "tasklist.exe", "quser.exe", "schtasks.exe", "at.exe", "sc.exe", "reg.exe")

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Auditbeat

Required Tables

logs-endpoint.events.process-* winlogbeat-* logs-windows.*

False Positives

Legitimate administrative scripts executed in the context of IIS application pools or Java application servers during scheduled maintenance or health checks
Developer environments where web frameworks (Node.js, Python Flask/Django) spawn shell commands as part of build pipelines or local debugging workflows
Monitoring or APM agents (e.g., Dynatrace OneAgent, New Relic) that legitimately invoke system binaries like whoami.exe or ipconfig.exe to collect host metadata from within the web process context

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  LOGSOURCETYPENAME(logsourceid) AS LogSourceType,
  sourceip,
  username,
  "ParentProcessName",
  "ProcessName",
  "CommandLine",
  "ParentCommandLine",
  CATEGORYNAME(category) AS Category,
  CASE
    WHEN LOWER("ProcessName") SIMILAR TO '%(cmd.exe|powershell.exe|pwsh.exe|wscript.exe|cscript.exe|mshta.exe)%' THEN 'Shell Spawned'
    WHEN LOWER("ProcessName") SIMILAR TO '%(certutil.exe|bitsadmin.exe|curl.exe|wget.exe|nc.exe|ncat.exe)%' THEN 'Download/C2 Tool'
    WHEN LOWER("ProcessName") SIMILAR TO '%(whoami.exe|ipconfig.exe|systeminfo.exe|nltest.exe|net.exe|net1.exe|tasklist.exe|quser.exe)%' THEN 'Reconnaissance'
    WHEN LOWER("ProcessName") SIMILAR TO '%(schtasks.exe|at.exe|sc.exe|reg.exe)%' THEN 'Persistence Attempt'
    ELSE 'Suspicious Child'
  END AS ExploitEvidence
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) IN ('Microsoft Windows Security Event Log', 'Snare for Windows')
  AND (
    LOWER("ParentProcessName") SIMILAR TO '%(w3wp.exe|httpd.exe|nginx.exe|apache2.exe|java.exe|python.exe|python3.exe|php.exe|php-cgi.exe|node.exe|ruby.exe|perl.exe|tomcat%.exe|ews.exe|umworkerprocess.exe|msexchangeservicehost.exe)%'
  )
  AND (
    LOWER("ProcessName") SIMILAR TO '%(cmd.exe|powershell.exe|pwsh.exe|wscript.exe|cscript.exe|mshta.exe|rundll32.exe|regsvr32.exe|certutil.exe|bitsadmin.exe|curl.exe|wget.exe|nc.exe|ncat.exe|net.exe|net1.exe|whoami.exe|ipconfig.exe|systeminfo.exe|nltest.exe|ping.exe|nslookup.exe|tasklist.exe|quser.exe|schtasks.exe|at.exe|sc.exe|reg.exe)%'
  )
ORDER BY devicetime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via Snare/WinCollect IBM QRadar WinCollect

Required Tables

events

False Positives

Automated deployment pipelines or CI/CD agents running inside IIS or Tomcat application pools that legitimately invoke cmd.exe or PowerShell for configuration management tasks
Vulnerability scanners or EDR agents performing authenticated system enumeration (whoami, systeminfo) from within monitored web application processes
Java-based enterprise applications (e.g., Jenkins, Confluence) that shell out to system utilities as part of plugin execution or administrative operations

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where EventID = "1" or EventCode = "1"
| parse field=ParentImage "*\\*" as _throwaway, ParentProcessName nocase
| parse field=Image "*\\*" as _throwaway2, ChildProcessName nocase
| where ParentProcessName matches /(?i)^(w3wp\.exe|httpd\.exe|nginx\.exe|apache2\.exe|java\.exe|python\.exe|python3\.exe|php\.exe|php-cgi\.exe|node\.exe|ruby\.exe|perl\.exe|tomcat[0-9]*\.exe|ews\.exe|umworkerprocess\.exe|msexchangeservicehost\.exe)$/
| where ChildProcessName matches /(?i)^(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe|nc\.exe|ncat\.exe|net\.exe|net1\.exe|whoami\.exe|ipconfig\.exe|systeminfo\.exe|nltest\.exe|ping\.exe|nslookup\.exe|tasklist\.exe|quser\.exe|schtasks\.exe|at\.exe|sc\.exe|reg\.exe)$/
| if (ChildProcessName matches /(?i)^(cmd|powershell|pwsh|wscript|cscript|mshta)\.exe$/, "Shell Spawned",
    if (ChildProcessName matches /(?i)^(certutil|bitsadmin|curl|wget|nc|ncat)\.exe$/, "Download/C2 Tool",
    if (ChildProcessName matches /(?i)^(whoami|ipconfig|systeminfo|nltest|net|net1|tasklist|quser)\.exe$/, "Reconnaissance",
    if (ChildProcessName matches /(?i)^(schtasks|at|sc|reg)\.exe$/, "Persistence Attempt", "Suspicious Child")))) as ExploitEvidence
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, ExploitEvidence
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon via Windows Event Log collection Winlogbeat forwarded to Sumo Logic Sumo Logic Installed Collector on Windows hosts

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Legitimate application health check scripts that run under IIS worker process (w3wp.exe) context invoking ping.exe or nslookup.exe to verify network connectivity
Java application servers (Tomcat, JBoss) invoking net.exe or sc.exe as part of Windows service lifecycle management or cluster coordination
Python or Ruby web applications using subprocess calls to run system commands for legitimate data processing or integration with legacy CLI tools

Google Chronicle / SecOps

yaral

rule t1190_exploit_public_facing_application {
  meta:
    author = "Detection Engineering"
    description = "Detects web server and application runtime processes spawning suspicious child processes indicative of public-facing application exploitation (T1190)"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1190"
    mitre_attack_technique_id = "T1190"
    severity = "HIGH"
    confidence = "HIGH"
    platform = "Windows"
    reference = "https://attack.mitre.org/techniques/T1190/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(w3wp\.exe|httpd\.exe|nginx\.exe|apache2\.exe|java\.exe|python\.exe|python3\.exe|php\.exe|php-cgi\.exe|node\.exe|ruby\.exe|perl\.exe|tomcat[0-9]*\.exe|ews\.exe|umworkerprocess\.exe|msexchangeservicehost\.exe)$/
    $e.target.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe|nc\.exe|ncat\.exe|net\.exe|net1\.exe|whoami\.exe|ipconfig\.exe|systeminfo\.exe|nltest\.exe|ping\.exe|nslookup\.exe|tasklist\.exe|quser\.exe|schtasks\.exe|at\.exe|sc\.exe|reg\.exe)$/
    $e.principal.hostname = $hostname
    $e.principal.user.userid = $user

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM via Google Workspace/GCP log ingestion Chronicle forwarder with Windows Event Log or Sysmon collection Third-party EDR UDM feeds

Required Tables

UDM events (PROCESS_LAUNCH type)

False Positives

Managed web hosting environments where IIS application pools execute scheduled tasks (schtasks.exe, at.exe) as part of CMS or e-commerce platform maintenance routines
Java-based middleware platforms that use ProcessBuilder or Runtime.exec() to invoke net.exe or sc.exe for Windows service management as part of startup/shutdown hooks
Security scanners or endpoint agents legitimately invoking whoami.exe or systeminfo.exe from application contexts to collect telemetry or verify runtime identity

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(w3wp|httpd|nginx|apache2|java|python|python3|php|php-cgi|node|ruby|perl|tomcat[0-9]*|ews|umworkerprocess|msexchangeservicehost)\.exe$/
| FileName = /(?i)^(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|curl|wget|nc|ncat|net|net1|whoami|ipconfig|systeminfo|nltest|ping|nslookup|tasklist|quser|schtasks|at|sc|reg)\.exe$/
| ExploitEvidence := case {
    FileName = /(?i)^(cmd|powershell|pwsh|wscript|cscript|mshta)\.exe$/ => "Shell Spawned";
    FileName = /(?i)^(certutil|bitsadmin|curl|wget|nc|ncat)\.exe$/ => "Download/C2 Tool";
    FileName = /(?i)^(whoami|ipconfig|systeminfo|nltest|net|net1|tasklist|quser)\.exe$/ => "Reconnaissance";
    FileName = /(?i)^(schtasks|at|sc|reg)\.exe$/ => "Persistence Attempt";
    * => "Suspicious Child"
  }
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, ExploitEvidence, SHA256HashData, TargetProcessId, ContextProcessId])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2 events) Falcon Data Replicator (FDR) streamed to LogScale

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Legitimate use of Python or Node.js web servers in developer environments where the runtime spawns shell commands during build, test, or scaffolding operations
Enterprise Java applications (e.g., JIRA, Confluence, Jenkins) that use Runtime.exec() to invoke net.exe, sc.exe, or ping.exe for service discovery, cluster health checks, or Windows-specific integrations
IIS-hosted applications with custom HTTP modules or ISAPI filters that invoke certutil.exe or reg.exe during certificate renewal workflows or registry-backed configuration updates

Exploit Public-Facing Application

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Initial Access

Popular Detections