T1190 Microsoft Sentinel · KQL

Detect Exploit Public-Facing Application in Microsoft Sentinel

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets. On ESXi infrastructure, adversaries may exploit exposed OpenSLP services or VMware vCenter servers. If an application is hosted on cloud-based infrastructure and/or is containerized, exploiting it may lead to compromise of the underlying instance or container, allowing adversaries to access cloud or container APIs, escape to the container host, or exploit weak identity and access management policies.

MITRE ATT&CK

Tactic
Initial Access
Technique
T1190 Exploit Public-Facing Application
Canonical reference
https://attack.mitre.org/techniques/T1190/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let WebServerProcesses = dynamic(["w3wp.exe", "httpd.exe", "nginx.exe", "apache2.exe", "java.exe", "python.exe", "python3.exe", "php.exe", "php-cgi.exe", "node.exe", "ruby.exe", "perl.exe", "tomcat9.exe", "tomcat8.exe", "ews.exe", "umworkerprocess.exe", "msexchangeservicehost.exe"]);
let SuspiciousChildProcesses = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe", "nc.exe", "ncat.exe", "net.exe", "net1.exe", "whoami.exe", "ipconfig.exe", "systeminfo.exe", "nltest.exe", "ping.exe", "nslookup.exe", "tasklist.exe", "quser.exe", "schtasks.exe", "at.exe", "sc.exe", "reg.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (WebServerProcesses)
| where FileName in~ (SuspiciousChildProcesses)
| extend ExploitEvidence = case(
    FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe"), "Shell Spawned",
    FileName in~ ("certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe", "nc.exe", "ncat.exe"), "Download/C2 Tool",
    FileName in~ ("whoami.exe", "ipconfig.exe", "systeminfo.exe", "nltest.exe", "net.exe", "net1.exe", "tasklist.exe", "quser.exe"), "Reconnaissance",
    FileName in~ ("schtasks.exe", "at.exe", "sc.exe", "reg.exe"), "Persistence Attempt",
    "Suspicious Child"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName,
         ExploitEvidence, SHA256
| sort by Timestamp desc
critical severity high confidence

Detects web application exploitation by monitoring for web server processes (IIS w3wp.exe, Apache httpd.exe, Nginx, Java/Tomcat, Exchange worker processes) spawning unexpected child processes such as command shells, reconnaissance tools, download utilities, or persistence mechanisms. This parent-child process anomaly is a strong indicator of successful remote code execution via exploitation of a public-facing application, consistent with techniques used by APT28, Volt Typhoon, Sandworm, FIN7, and ransomware operators targeting Exchange, IIS, WebLogic, and similar platforms. Classifies spawned processes into Shell Spawned, Download/C2 Tool, Reconnaissance, and Persistence Attempt categories for analyst prioritization.

Data Sources

Process: Process CreationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate web application frameworks that invoke system utilities as part of normal operation — e.g., Node.js applications using child_process.exec() for image processing, PDF generation, or video transcoding
  • Application deployment automation where IIS app pools or Java application servers execute build tools, packaging scripts, or health check commands as part of CI/CD pipelines
  • Exchange Hybrid Configuration Wizard and other Microsoft management tools that run Exchange worker processes spawning PowerShell for legitimate configuration and maintenance tasks
  • Application Performance Monitoring (APM) and diagnostic agents (Dynatrace, AppDynamics, New Relic) that fork child processes for JVM or CLR diagnostics from within the web server process context
  • DevOps tooling such as Octopus Deploy, TeamCity agents, or Ansible running under an IIS-hosted application pool identity to execute deployment scripts
Download portable Sigma rule (.yml)

Other platforms for T1190

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Web Server Process Spawning Reconnaissance Commands

    Expected signal: Sysmon Event ID 1: Process Create events for cmd.exe, whoami.exe, ipconfig.exe, net.exe, systeminfo.exe with respective command lines. Security Event ID 4688 (with command line auditing enabled) for each spawned process. Sysmon Event ID 11: File creation at %TEMP%\argus-t1190-recon.txt.

  2. Test 2Drop Test Webshell File in IIS Web Root

    Expected signal: Sysmon Event ID 11: File Create with TargetFilename='C:\inetpub\wwwroot\argus-test-shell.aspx'. Sysmon Event ID 1: Process Create for powershell.exe with Set-Content command visible in CommandLine. DeviceFileEvents in Microsoft Defender for Endpoint will show the .aspx file creation with the initiating process context.

  3. Test 3Log4Shell JNDI Lookup Payload in HTTP Request Headers

    Expected signal: Web server access log entry (Apache: /var/log/apache2/access.log, Nginx: /var/log/nginx/access.log) showing the JNDI payload strings in User-Agent and custom header fields. If a Java application with Log4j is running on port 80, Sysmon EventCode=3 (or /proc/net/tcp) will show an LDAP connection attempt to 127.0.0.1:1389 from the java.exe/java process.

  4. Test 4SQL Injection Payloads in Web Application Query Parameters

    Expected signal: Web server access logs will contain entries with SQL injection strings in the cs-uri-query field (IIS) or request URI (Apache/Nginx). The HTTP response codes (200, 400, 404, 500) are printed to stdout for each payload. WAF alert events generated if a WAF is in the request path. No database query is executed — the payloads are evaluated only at the HTTP layer.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1190 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1505.003Web ShellT1059.001PowerShellT1059.003Windows Command ShellT1055Process InjectionT1105Ingress Tool TransferT1003OS Credential DumpingT1611Escape to HostT1552.005Cloud Instance Metadata APIT1211Exploitation for Defense EvasionT1078.003Local Accounts

Same Tactic: Initial Access

Popular Detections