Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include Exploitation for Defense Evasion.
If an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies.
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1190 | Exploit Public-Facing Application | |
| AC-3 | Access Enforcement | Protects | T1190 | Exploit Public-Facing Application | |
| AC-4 | Information Flow Enforcement | Protects | T1190 | Exploit Public-Facing Application | |
| AC-5 | Separation of Duties | Protects | T1190 | Exploit Public-Facing Application | |
| AC-6 | Least Privilege | Protects | T1190 | Exploit Public-Facing Application | |
| CA-2 | Control Assessments | Protects | T1190 | Exploit Public-Facing Application | |
| CA-7 | Continuous Monitoring | Protects | T1190 | Exploit Public-Facing Application | |
| CM-5 | Access Restrictions for Change | Protects | T1190 | Exploit Public-Facing Application | |
| CM-6 | Configuration Settings | Protects | T1190 | Exploit Public-Facing Application | |
| CM-7 | Least Functionality | Protects | T1190 | Exploit Public-Facing Application | |
| CM-8 | System Component Inventory | Protects | T1190 | Exploit Public-Facing Application | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1190 | Exploit Public-Facing Application | |
| IA-8 | Identification and Authentication (non-organizational Users) | Protects | T1190 | Exploit Public-Facing Application | |
| RA-10 | Threat Hunting | Protects | T1190 | Exploit Public-Facing Application | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1190 | Exploit Public-Facing Application | |
| SA-8 | Security and Privacy Engineering Principles | Protects | T1190 | Exploit Public-Facing Application | |
| SC-18 | Mobile Code | Protects | T1190 | Exploit Public-Facing Application | |
| SC-2 | Separation of System and User Functionality | Protects | T1190 | Exploit Public-Facing Application | |
| SC-29 | Heterogeneity | Protects | T1190 | Exploit Public-Facing Application | |
| SC-3 | Security Function Isolation | Protects | T1190 | Exploit Public-Facing Application | |
| SC-30 | Concealment and Misdirection | Protects | T1190 | Exploit Public-Facing Application | |
| SC-39 | Process Isolation | Protects | T1190 | Exploit Public-Facing Application | |
| SC-46 | Cross Domain Policy Enforcement | Protects | T1190 | Exploit Public-Facing Application | |
| SC-7 | Boundary Protection | Protects | T1190 | Exploit Public-Facing Application | |
| SI-10 | Information Input Validation | Protects | T1190 | Exploit Public-Facing Application | |
| SI-2 | Flaw Remediation | Protects | T1190 | Exploit Public-Facing Application | |
| SI-3 | Malicious Code Protection | Protects | T1190 | Exploit Public-Facing Application | |
| SI-4 | System Monitoring | Protects | T1190 | Exploit Public-Facing Application | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1190 | Exploit Public-Facing Application | |
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
This control's CORS related recommendations can help lead to hardened web applications. This can reduce the likelihood of an application being exploited to reveal sensitive data that can lead to the compromise of an environment.
Likewise this control's recommendations related to keeping Java/PHP up to date for API/Function/Web apps can lead to hardening the public facing content that uses these runtimes.
This control's recommendations related to disabling Public network access for Azure databases can lead to reducing the exposure of resources to the public Internet and thereby reduce the attack surface.
These recommendations are limited to specific technologies (Java, PHP and CORS, SQL DBs) and therefore provide Minimal coverage leading to a Minimal score.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
The Azure Sentinel Hunting "Potential IIS code injection attempt" query can detect some potential injection attacks against public-facing applications.
The Azure Sentinel Analytics "A potentially malicious web request was executed against a web server" query can detect a high ratio of blocked requests and unobstructed requests to a Web Application Firewall (WAF) for a given client IP and hostnam.
The coverage for these queries is minimal (e.g. IIS) resulting in an overall Minimal score.
References
|
| azure_defender_for_kubernetes | Azure Defender for Kubernetes | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
This control may alert on publicly exposed Kubernetes services. This may provide context on services that should be patched or hardened for public access.
References
|
| azure_automation_update_management | Azure Automation Update Management | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
This control provides partial coverage for techniques that exploit vulnerabilities in (common) unpatched software since it enables automated updates of software and rapid configuration change management.
References
|
| azure_policy | Azure Policy | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
This control may provide recommendations to restrict access to applications that are public facing and providing information on vulnerable applications.
References
|
| advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
This control may alert on usage of faulty SQL statements. This generates an alert for a possible SQL injection by an application. Alerts may not be generated on usage of valid SQL statements by attackers for malicious purposes.
References
|
| azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected to exploit a vulnerability in a public-facing application. Detection is periodic at an unknown rate.
References
|
| azure_defender_for_container_registries | Azure Defender for Container Registries | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
This control may provide provide information about vulnerabilities within container images. The limited scope of containers and registries that are applicable to this control contribute to the lower score.
References
|
| azure_web_application_firewall | Azure Web Application Firewall | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
This control can protect web applications from common attacks (e.g. SQL injection, XSS).
References
|
| azure_web_application_firewall | Azure Web Application Firewall | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
This control can detect common web application attack vectors.
References
|
| just-in-time_vm_access | Just-in-Time VM Access | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at exploitation of a public-facing application unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured. The score is minimal, since this control only applies to specific applications requiring credentialed access, as opposed to a public webserver
References
|
| sql_vulnerability_assessment | SQL Vulnerability Assessment | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
This control provides recommendations to patch if SQL server is out of date and to disable unneeded features to reduce exploitable surface area.
References
|
| integrated_vulnerability_scanner_powered_by_qualys | Integrated Vulnerability Scanner Powered by Qualys | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
| azure_network_traffic_analytics | Azure Network Traffic Analytics | technique_scores | T1190 | Exploit Public-Facing Application |
Comments
This control can detect anomalous traffic to and from externally facing systems with respect to network security group (NSG) policy.
References
|