Detect Exploit Public-Facing Application in Sumo Logic CSE
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets. On ESXi infrastructure, adversaries may exploit exposed OpenSLP services or VMware vCenter servers. If an application is hosted on cloud-based infrastructure and/or is containerized, exploiting it may lead to compromise of the underlying instance or container, allowing adversaries to access cloud or container APIs, escape to the container host, or exploit weak identity and access management policies.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1190 Exploit Public-Facing Application
- Canonical reference
- https://attack.mitre.org/techniques/T1190/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where EventID = "1" or EventCode = "1"
| parse field=ParentImage "*\\*" as _throwaway, ParentProcessName nocase
| parse field=Image "*\\*" as _throwaway2, ChildProcessName nocase
| where ParentProcessName matches /(?i)^(w3wp\.exe|httpd\.exe|nginx\.exe|apache2\.exe|java\.exe|python\.exe|python3\.exe|php\.exe|php-cgi\.exe|node\.exe|ruby\.exe|perl\.exe|tomcat[0-9]*\.exe|ews\.exe|umworkerprocess\.exe|msexchangeservicehost\.exe)$/
| where ChildProcessName matches /(?i)^(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe|nc\.exe|ncat\.exe|net\.exe|net1\.exe|whoami\.exe|ipconfig\.exe|systeminfo\.exe|nltest\.exe|ping\.exe|nslookup\.exe|tasklist\.exe|quser\.exe|schtasks\.exe|at\.exe|sc\.exe|reg\.exe)$/
| if (ChildProcessName matches /(?i)^(cmd|powershell|pwsh|wscript|cscript|mshta)\.exe$/, "Shell Spawned",
if (ChildProcessName matches /(?i)^(certutil|bitsadmin|curl|wget|nc|ncat)\.exe$/, "Download/C2 Tool",
if (ChildProcessName matches /(?i)^(whoami|ipconfig|systeminfo|nltest|net|net1|tasklist|quser)\.exe$/, "Reconnaissance",
if (ChildProcessName matches /(?i)^(schtasks|at|sc|reg)\.exe$/, "Persistence Attempt", "Suspicious Child")))) as ExploitEvidence
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, ExploitEvidence
| sort by _messageTime descSumo Logic query against Windows Sysmon Event ID 1 (Process Create) logs to identify web server and application runtime parent processes that spawn known post-exploitation child processes. Extracts process names from full image paths and classifies detections by exploitation stage for triage prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate application health check scripts that run under IIS worker process (w3wp.exe) context invoking ping.exe or nslookup.exe to verify network connectivity
- Java application servers (Tomcat, JBoss) invoking net.exe or sc.exe as part of Windows service lifecycle management or cluster coordination
- Python or Ruby web applications using subprocess calls to run system commands for legitimate data processing or integration with legacy CLI tools
Other platforms for T1190
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Web Server Process Spawning Reconnaissance Commands
Expected signal: Sysmon Event ID 1: Process Create events for cmd.exe, whoami.exe, ipconfig.exe, net.exe, systeminfo.exe with respective command lines. Security Event ID 4688 (with command line auditing enabled) for each spawned process. Sysmon Event ID 11: File creation at %TEMP%\argus-t1190-recon.txt.
- Test 2Drop Test Webshell File in IIS Web Root
Expected signal: Sysmon Event ID 11: File Create with TargetFilename='C:\inetpub\wwwroot\argus-test-shell.aspx'. Sysmon Event ID 1: Process Create for powershell.exe with Set-Content command visible in CommandLine. DeviceFileEvents in Microsoft Defender for Endpoint will show the .aspx file creation with the initiating process context.
- Test 3Log4Shell JNDI Lookup Payload in HTTP Request Headers
Expected signal: Web server access log entry (Apache: /var/log/apache2/access.log, Nginx: /var/log/nginx/access.log) showing the JNDI payload strings in User-Agent and custom header fields. If a Java application with Log4j is running on port 80, Sysmon EventCode=3 (or /proc/net/tcp) will show an LDAP connection attempt to 127.0.0.1:1389 from the java.exe/java process.
- Test 4SQL Injection Payloads in Web Application Query Parameters
Expected signal: Web server access logs will contain entries with SQL injection strings in the cs-uri-query field (IIS) or request URI (Apache/Nginx). The HTTP response codes (200, 400, 404, 500) are printed to stdout for each payload. WAF alert events generated if a WAF is in the request path. No database query is executed — the payloads are evaluated only at the HTTP layer.
References (10)
- https://attack.mitre.org/techniques/T1190/
- https://owasp.org/www-project-top-ten/
- https://cwe.mitre.org/top25/index.html
- https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
- https://www.recordedfuture.com/blog/esxiargs-ransomware-targets-vmware-esxi-openslp-servers
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-116a
- https://unit42.paloaltonetworks.com/threat-brief-understanding-log4j-vulnerability/
- https://www.secureworks.com/research/bronze-silhouette
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1190/T1190.md
Unlock Pro Content
Get the full detection package for T1190 including response playbook, investigation guide, and atomic red team tests.