1. Home
  2. ATT&CK Techniques
  3. T1190 Exploit Public-Facing Application

T1190 Exploit Public-Facing Application Mappings

Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include Exploitation for Defense Evasion.

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1190 Exploit Public-Facing Application
AC-3 Access Enforcement Protects T1190 Exploit Public-Facing Application
AC-4 Information Flow Enforcement Protects T1190 Exploit Public-Facing Application
AC-5 Separation of Duties Protects T1190 Exploit Public-Facing Application
AC-6 Least Privilege Protects T1190 Exploit Public-Facing Application
CA-2 Control Assessments Protects T1190 Exploit Public-Facing Application
CA-7 Continuous Monitoring Protects T1190 Exploit Public-Facing Application
CM-5 Access Restrictions for Change Protects T1190 Exploit Public-Facing Application
CM-6 Configuration Settings Protects T1190 Exploit Public-Facing Application
CM-7 Least Functionality Protects T1190 Exploit Public-Facing Application
CM-8 System Component Inventory Protects T1190 Exploit Public-Facing Application
IA-2 Identification and Authentication (organizational Users) Protects T1190 Exploit Public-Facing Application
IA-8 Identification and Authentication (non-organizational Users) Protects T1190 Exploit Public-Facing Application
RA-10 Threat Hunting Protects T1190 Exploit Public-Facing Application
RA-5 Vulnerability Monitoring and Scanning Protects T1190 Exploit Public-Facing Application
SA-8 Security and Privacy Engineering Principles Protects T1190 Exploit Public-Facing Application
SC-18 Mobile Code Protects T1190 Exploit Public-Facing Application
SC-2 Separation of System and User Functionality Protects T1190 Exploit Public-Facing Application
SC-29 Heterogeneity Protects T1190 Exploit Public-Facing Application
SC-3 Security Function Isolation Protects T1190 Exploit Public-Facing Application
SC-30 Concealment and Misdirection Protects T1190 Exploit Public-Facing Application
SC-39 Process Isolation Protects T1190 Exploit Public-Facing Application
SC-46 Cross Domain Policy Enforcement Protects T1190 Exploit Public-Facing Application
SC-7 Boundary Protection Protects T1190 Exploit Public-Facing Application
SI-10 Information Input Validation Protects T1190 Exploit Public-Facing Application
SI-2 Flaw Remediation Protects T1190 Exploit Public-Facing Application
SI-3 Malicious Code Protection Protects T1190 Exploit Public-Facing Application
SI-4 System Monitoring Protects T1190 Exploit Public-Facing Application
SI-7 Software, Firmware, and Information Integrity Protects T1190 Exploit Public-Facing Application
CVE-2019-15243 Cisco SPA112 2-Port Phone Adapter exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-15976 Cisco Data Center Network Manager exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-15956 Cisco Web Security Appliance (WSA) exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-15958 Cisco Prime Infrastructure exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-1753 Cisco IOS XE Software exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-1863 Cisco Unified Computing System E-Series Software (UCSE) exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-3292 Cisco Small Business RV Series Router Firmware exploitation_technique T1190 Exploit Public-Facing Application
CVE-2018-15397 Cisco Adaptive Security Appliance (ASA) Software exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-15249 Cisco SPA112 2-Port Phone Adapter exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-3312 Cisco Firepower Threat Defense Software exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-1817 Cisco Web Security Appliance (WSA) exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-3306 Cisco Adaptive Security Appliance (ASA) Software exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-3375 Cisco SD-WAN vManage exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-3133 Cisco Email Security Appliance (ESA) primary_impact T1190 Exploit Public-Facing Application
CVE-2019-12696 Cisco FireSIGHT System Software primary_impact T1190 Exploit Public-Facing Application
CVE-2020-3387 Cisco SD-WAN vManage exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-1594 Nexus 1000V Switch for VMware vSphere exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-1876 Cisco Wide Area Application Services (WAAS) primary_impact T1190 Exploit Public-Facing Application
CVE-2019-15289 Cisco TelePresence TC Software exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-3407 Cisco IOS XE Software exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-15276 Cisco Wireless LAN Controller (WLC) exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-3126 Cisco Webex Meetings Multimedia Viewer exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-1915 Cisco Unified Communications Manager exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-1746 Cisco IOS and IOS XE Software exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-3397 Cisco NX-OS Software exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-3198 Cisco IOS 12.2(60)EZ16 exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-3309 Cisco Firepower Threat Defense Software exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-3177 Cisco Unified Communications Manager exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-3510 Cisco IOS XE Software exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-3409 Cisco IOS exploitation_technique T1190 Exploit Public-Facing Application
CVE-2018-15392 Cisco Industrial Network Director exploitation_technique T1190 Exploit Public-Facing Application
CVE-2018-15462 Cisco Firepower Threat Defense Software exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-1704 Cisco Firepower Threat Defense Software exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-3244 Cisco ASR 5000 Series Software exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-3707 iDRAC primary_impact T1190 Exploit Public-Facing Application
CVE-2019-3723 OpenManage Server Administrator exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-5345 Unisphere for PowerMax primary_impact T1190 Exploit Public-Facing Application
CVE-2019-3732 RSA BSAFE Crypto-C Micro Edition exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-3731 RSA BSAFE Crypto-C Micro Edition exploitation_technique T1190 Exploit Public-Facing Application
CVE-2018-15776 iDRAC exploitation_technique T1190 Exploit Public-Facing Application
CVE-2018-15764 ESRS Policy Manager exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-3799 Spring Cloud Config exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-3758 RSA Archer primary_impact T1190 Exploit Public-Facing Application
CVE-2018-11051 Certificate Manager Path Traversal Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
CVE-2018-15758 Spring Security OAuth exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-5366 Integrated Dell Remote Access Controller (iDRAC) exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-5373 OMIMSSC (OpenManage Integration for Microsoft System Center) primary_impact T1190 Exploit Public-Facing Application
CVE-2018-15780 RSA Archer primary_impact T1190 Exploit Public-Facing Application
CVE-2019-3706 iDRAC primary_impact T1190 Exploit Public-Facing Application
CVE-2020-15211 tensorflow exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-5220 SyliusResourceBundle exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-11021 http-client exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-5254 NetHack exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-15096 electron exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-11013 Helm primary_impact T1190 Exploit Public-Facing Application
CVE-2020-5252 safety primary_impact T1190 Exploit Public-Facing Application
CVE-2020-11078 httplib2 primary_impact T1190 Exploit Public-Facing Application
CVE-2020-11050 Java-WebSocket primary_impact T1190 Exploit Public-Facing Application
CVE-2020-15170 apollo primary_impact T1190 Exploit Public-Facing Application
CVE-2020-11054 qutebrowser primary_impact T1190 Exploit Public-Facing Application
CVE-2020-4068 APNSwift exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-15109 solidus primary_impact T1190 Exploit Public-Facing Application
CVE-2020-5225 SimpleSAMLphp primary_impact T1190 Exploit Public-Facing Application
CVE-2020-11010 tortoise-orm secondary_impact T1190 Exploit Public-Facing Application
CVE-2019-16784 PyInstaller primary_impact T1190 Exploit Public-Facing Application
CVE-2019-16760 cargo primary_impact T1190 Exploit Public-Facing Application
CVE-2020-5279 PrestaShop primary_impact T1190 Exploit Public-Facing Application
CVE-2018-14781 Medtronic insulin pump primary_impact T1190 Exploit Public-Facing Application
CVE-2018-10590 WebAccess exploitation_technique T1190 Exploit Public-Facing Application
CVE-2018-19010 Dräger Infinity Delta exploitation_technique T1190 Exploit Public-Facing Application
CVE-2019-18234 Equinox Control Expert secondary_impact T1190 Exploit Public-Facing Application
CVE-2020-6964 GE CARESCAPE Telemetry Server,ApexPro Telemetry Server,CARESCAPE Central Station,Clinical Information Center systems,CARESCAPE B450,B650,B850 Monitors primary_impact T1190 Exploit Public-Facing Application
CVE-2020-6993 Moxa PT-7528 series firmware, Version 4.0 or lower, PT-7828 series firmware, Version 3.9 or lower exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-14508 GateManager exploitation_technique T1190 Exploit Public-Facing Application
CVE-2020-1025 Skype for Business Server 2019 CU2 primary_impact T1190 Exploit Public-Facing Application
CVE-2018-8431 Microsoft SharePoint Server primary_impact T1190 Exploit Public-Facing Application
CVE-2020-11652 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2017-16651 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2015-0984 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2019-1458 Windows uncategorized T1190 Exploit Public-Facing Application
CVE-2010-3888 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2019-11219 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2015-7912 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2010-2772 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2013-6129 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2012-0158 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2019-6703 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2019-16759 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2019-15107 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2019-1132 Windows uncategorized T1190 Exploit Public-Facing Application
CVE-2019-10973 Quest KACE uncategorized T1190 Exploit Public-Facing Application
CVE-2019-0880 Windows Server uncategorized T1190 Exploit Public-Facing Application
CVE-2018-8611 Windows 7 uncategorized T1190 Exploit Public-Facing Application
CVE-2018-7602 core uncategorized T1190 Exploit Public-Facing Application
CVE-2018-7600 Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 uncategorized T1190 Exploit Public-Facing Application
CVE-2018-2893 WebLogic Server uncategorized T1190 Exploit Public-Facing Application
CVE-2018-2628 WebLogic Server uncategorized T1190 Exploit Public-Facing Application
CVE-2018-1000861 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2018-0101 Cisco Adaptive Security Appliance uncategorized T1190 Exploit Public-Facing Application
CVE-2017-9841 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2017-8291 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2017-3881 Cisco IOS and IOS XE Software uncategorized T1190 Exploit Public-Facing Application
CVE-2017-3066 Adobe ColdFusion ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier uncategorized T1190 Exploit Public-Facing Application
CVE-2017-11774 Microsoft Outlook uncategorized T1190 Exploit Public-Facing Application
CVE-2017-0199 Office/WordPad uncategorized T1190 Exploit Public-Facing Application
CVE-2017-0005 Windows GDI uncategorized T1190 Exploit Public-Facing Application
CVE-2016-9192 Cisco AnyConnect Secure Mobility Client uncategorized T1190 Exploit Public-Facing Application
CVE-2015-4902 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2015-0072 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-8551 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-6287 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-6120 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-5279 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-1809 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-0050 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2013-7372 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2013-7102 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2013-5057 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2013-1289 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2013-0641 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2013-0632 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2013-0631 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2012-2520 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2012-1723 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2012-1557 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2012-0874 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2011-2900 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2011-0096 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2010-3916 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2010-3653 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2010-0817 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2009-2265 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2009-1308 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2019-5910 HOUSE GATE App for iOS uncategorized T1190 Exploit Public-Facing Application
CVE-2020-6974 Honeywell Notifier Web Server (NWS) uncategorized T1190 Exploit Public-Facing Application
CVE-2020-11738 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2020-9380 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2020-10189 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2019-2729 WebLogic Server uncategorized T1190 Exploit Public-Facing Application
CVE-2019-2725 Tape Library ACSLS uncategorized T1190 Exploit Public-Facing Application
CVE-2018-10611 MDS PulseNET and MDS PulseNET Enterprise uncategorized T1190 Exploit Public-Facing Application
CVE-2017-18362 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2016-5062 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2015-6480 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-6293 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2012-6498 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-0295 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2016-9684 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-7186 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-6277 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-6271 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2012-1795 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2020-9459 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2011-1331 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2013-0640 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2017-12637 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2013-1904 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2019-11708 Firefox ESR uncategorized T1190 Exploit Public-Facing Application
CVE-2020-13126 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2017-10271 WebLogic Server uncategorized T1190 Exploit Public-Facing Application
CVE-2016-6909 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-6278 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2010-5326 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2009-3041 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2020-11897 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2020-11896 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2018-7496 OSIsoft PI Vision uncategorized T1190 Exploit Public-Facing Application
CVE-2017-1001000 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2019-8540 iOS uncategorized T1190 Exploit Public-Facing Application
CVE-2019-0604 Microsoft SharePoint Server uncategorized T1190 Exploit Public-Facing Application
CVE-2018-19207 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-3413 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2012-1675 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2011-4862 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2018-2894 WebLogic Server uncategorized T1190 Exploit Public-Facing Application
CVE-2012-6081 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2011-4106 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2018-15961 ColdFusion uncategorized T1190 Exploit Public-Facing Application
CVE-2015-8562 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2013-3900 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2015-1539 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2010-3765 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-7235 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2012-3015 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2014-1761 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2013-4335 opOpenSocialPlugin uncategorized T1190 Exploit Public-Facing Application
CVE-2020-2883 WebLogic Server uncategorized T1190 Exploit Public-Facing Application
CVE-2020-0601 Windows uncategorized T1190 Exploit Public-Facing Application
CVE-2019-10149 exim uncategorized T1190 Exploit Public-Facing Application
CVE-2018-20062 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2016-6366 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2019-3396 Confluence Server uncategorized T1190 Exploit Public-Facing Application
CVE-2014-0751 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2018-8414 Windows 10 Servers uncategorized T1190 Exploit Public-Facing Application
CVE-2014-4148 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2016-3088 n/a uncategorized T1190 Exploit Public-Facing Application
CVE-2013-5576 n/a uncategorized T1190 Exploit Public-Facing Application
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1190 Exploit Public-Facing Application
action.malware.variety.Exploit vuln Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) related-to T1190 Exploit Public-Facing Application
aws_rds AWS RDS technique_scores T1190 Exploit Public-Facing Application
Comments
AWS RDS supports the automatic patching of minor versions of database instances. This can result in security flaws in the database instances being fixed before they can be exploited. This mapping is given a score of Partial because it does not protect against misconfigured database instances which may be susceptible to exploitation.
References
  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
aws_rds AWS RDS technique_scores T1190 Exploit Public-Facing Application
Comments
AWS RDS supports the replication and recovery of database instances. In the event that a database instance is compromised, AWS RDS can be used to restore the database instance to a previous point in time. As a result, this mapping is given a score of Significant.
References
  1. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
aws_config AWS Config technique_scores T1190 Exploit Public-Facing Application
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that applications intended for internal use cannot be accessed externally for exploitation: "api-gw-endpoint-type-check" can ensure that Amazon API Gateway APIs are private and can only be accessed from within VPCs, "elasticsearch-in-vpc-only" can ensure that Amazon ElasticSearch Service (Amazon ES) domains are in the same VPC and the domain endpoint is not public, "lambda-function-public-access-prohibited" can verify that AWS Lambda functions are not publicly available, and "ec2-instance-no-public-ip" can verify whether EC2 instances have public IP addresses. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that insecure applications are not installed and installed packages are kept updated, reducing the likelihood of adversary exploitation: the "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The "ec2-managedinstance-platform-check" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation. "rds-automatic-minor-version-upgrade-enabled" can verify that Amazon RDS is being patched, and "elastic-beanstalk-managed-updates-enabled" can verify that Elastic Beanstalk is being patched. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services that can be used to host public-facing applications and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.
References
  1. https://docs.aws.amazon.com/config
  2. https://docs.aws.amazon.com/config/latest/developerguide
  3. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
amazon_guardduty Amazon GuardDuty technique_scores T1190 Exploit Public-Facing Application
Comments
There is a GuardDuty finding type that captures when vulnerable publicly facing resources are leveraged to capture data not intended to be viewable (e.g., IAM credentials associated with the resource). UnauthorizedAccess:EC2/MetadataDNSRebind - This finding type only detects MetadataDNSRebind and is more focused on the EC2 instance and not the application running on the instance itself resulting in Minimal coverage.
References
  1. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan
  2. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1190 Exploit Public-Facing Application
Comments
AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that a public-facing application or server is compromised, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
References
  1. https://aws.amazon.com/cloudendure-disaster-recovery/
  2. https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm
amazon_inspector Amazon Inspector technique_scores T1190 Exploit Public-Facing Application
Comments
Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
  1. https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html
aws_web_application_firewall AWS Web Application Firewall technique_scores T1190 Exploit Public-Facing Application
Comments
The AWS WAF protects public-facing applications against a range of vulnerabilities including those listed in the OWASP Top 10. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications. AWSManagedRulesCommonRuleSet AWSManagedRulesKnownBadInputRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesLinuxRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet This is given a score of Significant because it protects against vulnerabilities across multiple operating systems (Windows, Linux, POSIX) and technologies (JavaScript, SQL, PHP, WordPress). Furthermore, it blocks the malicious content in near real-time.
References
  1. https://aws.amazon.com/waf/
  2. https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html
  3. https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html
  4. https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
aws_security_hub AWS Security Hub technique_scores T1190 Exploit Public-Facing Application
Comments
AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight. EC2 instances that have missing security patches for important vulnerabilities This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.
References
  1. https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html