Exploit Public-Facing Application `T1190`

Tactic: Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Events covered

23 catalog events are tagged with this technique by at least one rule.

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Sysmon	Event ID 3	Network connection
Sysmon	Event ID 7	Image loaded
Sysmon	Event ID 11	FileCreate
Sysmon	Event ID 23	FileDelete (File Delete archived)
Sysmon	Event ID 26	FileDeleteDetected (File Delete logged)
Security-Auditing	Event ID 4624	An account was successfully logged on.
Security-Auditing	Event ID 4625	An account failed to log on.
Security-Auditing	Event ID 4648	A logon was attempted using explicit credentials.
Security-Auditing	Event ID 4663	An attempt was made to access an object.
Security-Auditing	Event ID 4688	A new process has been created.
Security-Auditing	Event ID 5136	A directory service object was modified.
Security-Auditing	Event ID 5140	A network share object was accessed.
Security-Auditing	Event ID 5145	A network share object was checked to see whether client can be granted desired access.
Security-Auditing	Event ID 5156	The Windows Filtering Platform has permitted a connection.
Defender-DeviceNetworkEvents	any	Network activity (any)
ESF	exec	Process Execution (Notify)
ESF	create	File or Directory Create (NOTIFY)
ESF	rename	File Rename (NOTIFY)
PowerShell	Event ID 4103	Payload Context: ContextInfo User Data: UserData.
MsiInstaller	Event ID 1033	Windows Installer installed the product.
Sysmon-for-Linux	Event ID 1	Process Create
Sysmon-for-Linux	Event ID 11	File created

Authoring guide

Patterns shared across the 516 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (355 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`cs-method`	78	`eq` 74, `in` 4	`POST`, `GET`, `PUT`, `HEAD`, `OPTIONS`
`cs-uri-query`	57	`contains` 54, `ends_with` 4, `match` 2, `eq` 1, `starts_with` 1, `wildcard` 1	`/ecp/`, `/help/admin-guide/reports/reportgenerate.jsp`, `/owa/`, `/powershell`, `__viewstate=`
`c-uri`	46	`contains` 30, `in` 16, `ends_with` 4	`/mgmt/tm/util/bash`, `/powershell`, `%40`, `${`, `%2F%7B`
`process_name`	39	`eq` 18, `in` 18, `starts_with` 3, `wildcard` 3, `match` 2, `regex_match` 2, `ends_with` 1	`bash`, `cmd.exe`, `powershell.exe`, `busybox`, `csh`
`EventType`	38	`eq` 24, `contains` 8, `in` 6	`exec`, `IntrusionEvent`, `creation`, `exec_event`, `ProcessRollup2`
`sourcetype`	32	`eq` 29, `in` 3	`cisco:sfw:estreamer`, `cisco:ios`, `suricata`, `cisco:sdwan:syslog`, `crushftp:sessionlogs`
`ParentImage`	31	`ends_with` 22, `contains` 6, `wildcard` 3, `eq` 2, `starts_with` 2	`/java`, `/u0/`, `\javaw.exe`, `\w3wp.exe`, `-tomcat-`
`parent_process_name`	31	`eq` 20, `in` 10, `starts_with` 7, `wildcard` 3, `ends_with` 2, `match` 2, `regex_match` 2, `contains` 1, `ne` 1	`apache2`, `.cgi`, `.fcgi`, `caddy`, `(?i)Confluence.*(tomcat\d+?\|java)\.exe`
`CommandLine`	30	`contains` 25, `is_not_null` 3, `wildcard` 2, `ends_with` 1, `in` 1, `regex_match` 1, `starts_with` 1	`-classpath` , `.payload`, `/bin/sh`, `/c powershell`, `-c`
`Image`	30	`ends_with` 26, `contains` 2, `wildcard` 2, `eq` 1, `is_not_null` 1, `is_null` 1, `starts_with` 1	`\cmd.exe`, `\bitsadmin.exe`, `\powershell.exe`, `\bash.exe`, `\certutil.exe`
`Web.status`	28	`eq` 26, `in` 2	`200`, `201`, `202`, `403`, `409`
`event.type`	27	`eq` 26, `in` 1	`start`, `creation`, `change`, `connection`, `deletion`
`sc-status`	23	`eq` 23, `contains` 1	`200`, `301`, `302`, `401`, `405`
`ParentCommandLine`	19	`contains` 16, `in` 2, `wildcard` 1	`app.py`, `asgi.py`, `django`, `--experimental-https`, `--experimental-https`
`TargetFilename`	18	`contains` 13, `ends_with` 8, `in` 3, `starts_with` 3, `wildcard` 1	`.jsp`, `\\httpproxy\\oab\\`, `\\httpproxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, `.ashx`

Top indicator values (3199 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`cs-method`	`eq`	`POST` sigmaConfluence Exploitation CVE-2019-3398 sigmaCVE-2021-21972 VSphere Exploitation sigmaCVE-2021-21978 Exploitation Attempt sigmaCVE-2021-33766 Exchange ProxyToken Exploitation sigmaCVE-2022-31659 VMware Workspace ONE Access RCE sigmaCVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21 sigmaCVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy) sigmaCVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver) sigmaCVE-2023-46747 Exploitation Activity - Proxy sigmaCVE-2023-46747 Exploitation Activity - Webserver sigmaExchange Exploitation CVE-2021-28480 sigmaExchange Exploitation Used by HAFNIUM sigmaF5 BIG-IP iControl Rest API Command Execution - Proxy sigmaF5 BIG-IP iControl Rest API Command Execution - Webserver sigmaFortinet CVE-2021-22123 Exploitation sigmaOWASSRF Exploitation Attempt Using Public POC - Proxy sigmaOWASSRF Exploitation Attempt Using Public POC - Webserver sigmaPotential Centos Web Panel Exploitation Attempt - CVE-2022-44877 sigmaPotential CVE-2021-26084 Exploitation Attempt sigmaPotential CVE-2022-21587 Exploitation Attempt sigmaPotential CVE-2023-27997 Exploitation Indicators sigmaPotential OWASSRF Exploitation Attempt - Proxy sigmaPotential OWASSRF Exploitation Attempt - Webserver sigmaProxyLogon Reset Virtual Directories Based On IIS Log sigmaSharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS sigmaSitecore Pre-Auth RCE CVE-2021-42237 sigmaVMware vCenter Server File Upload CVE-2021-22005 sigmaZimbra Collaboration Suite Email Server Unauthenticated RCE splunkAdobe ColdFusion Unauthenticated Arbitrary File Read splunkCisco IOS XE Implant Access splunkCitrix ADC and Gateway CitrixBleed 2 Memory Disclosure splunkCitrix ADC Exploitation CVE-2023-3519 splunkCitrix ShareFile Exploitation CVE-2023-24489 splunkConfluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 splunkConnectWise ScreenConnect Authentication Bypass splunkF5 BIG-IP iControl REST Vulnerability CVE-2022-1388 splunkIvanti Connect Secure SSRF in SAML Component splunkIvanti EPM SQL Injection Remote Code Execution splunkJenkins Arbitrary File Read CVE-2024-23897 splunkJetBrains TeamCity Authentication Bypass CVE-2024-27198 splunkJetBrains TeamCity RCE Attempt splunkVMWare Aria Operations Exploit Attempt splunkWeb Spring Cloud Function FunctionRouter splunkWindows Exchange Autodiscover SSRF Abuse splunkWindows SharePoint ToolPane Endpoint Exploitation Attempt splunkWordPress Bricks Builder plugin RCE splunkWS FTP Remote Code Execution	47	53
`cs-method`	`eq`	`GET` sigmaCisco ASA Exploitation Activity - Proxy sigmaCVE-2020-0688 Exchange Exploitation via Web Log sigmaCVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21 sigmaCVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy sigmaCVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver sigmaCVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy sigmaCVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver sigmaOracle WebLogic Exploit CVE-2021-2109 sigmaPotential CVE-2021-27905 Exploitation Attempt sigmaPotential CVE-2022-46169 Exploitation Attempt sigmaPotential CVE-2023-23752 Exploitation Attempt sigmaPotential CVE-2023-25717 Exploitation Attempt sigmaPotential CVE-2023-27997 Exploitation Indicators sigmaPotential Information Disclosure CVE-2023-43261 Exploitation - Proxy sigmaPotential Information Disclosure CVE-2023-43261 Exploitation - Web sigmaSharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS sigmaSQL Injection Strings In URI sigmaSuccessful IIS Shortname Fuzzing Scan sigmaTerraMaster TOS CVE-2020-28188 splunkAccess to Vulnerable Ivanti Connect Secure Bookmark Endpoint splunkConfluence CVE-2023-22515 Trigger Vulnerability splunkIvanti Connect Secure System Information Access via Auth Bypass splunkJava Class File download by Java User Agent splunkSpring4Shell Payload URL Request splunkTomcat Session Deserialization Attempt splunkVMware Server Side Template Injection Hunt splunkVMware Workspace ONE Freemarker Server-side Template Injection splunkWeb JSP Request via URL splunkWindows SharePoint Spinstall0 GET Request	29	49
`Web.status`	`eq`	`200` splunkAdobe ColdFusion Access Control Bypass splunkAdobe ColdFusion Unauthenticated Arbitrary File Read splunkCisco IOS XE Implant Access splunkCitrix ADC and Gateway CitrixBleed 2 Memory Disclosure splunkCitrix ADC and Gateway Unauthorized Data Disclosure splunkConfluence CVE-2023-22515 Trigger Vulnerability splunkConfluence Data Center and Server Privilege Escalation splunkConnectWise ScreenConnect Authentication Bypass splunkIvanti Connect Secure Command Injection Attempts splunkIvanti Connect Secure SSRF in SAML Component splunkIvanti Connect Secure System Information Access via Auth Bypass splunkIvanti EPM SQL Injection Remote Code Execution splunkIvanti EPMM Remote Unauthenticated API Access CVE-2023-35078 splunkIvanti EPMM Remote Unauthenticated API Access CVE-2023-35082 splunkJenkins Arbitrary File Read CVE-2024-23897 splunkJetBrains TeamCity Authentication Bypass CVE-2024-27198 splunkJetBrains TeamCity RCE Attempt splunkJuniper Networks Remote Code Execution Exploit Detection splunkSAP NetWeaver Visual Composer Exploitation Attempt splunkWeb Remote ShellServlet Access splunkWindows Exchange Autodiscover SSRF Abuse splunkWordPress Bricks Builder plugin RCE splunkWS FTP Remote Code Execution	23	25
`event.type`	`eq`	`start` elasticDeprecated - Unusual Command Execution from Web Server Parent elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticMicrosoft Exchange Server UM Spawning Suspicious Processes elasticMicrosoft Exchange Worker Spawning Suspicious Processes elasticPotential Code Execution via Postgresql elasticPotential JAVA/JNDI Exploitation Attempt elasticPotential Linux Hack Tool Launched elasticPotential SAP NetWeaver Exploitation elasticPotential Telnet Authentication Bypass (CVE-2026-24061) elasticScreenConnect Server Spawning Suspicious Processes elasticSuspicious Child Execution via Web Server elasticSuspicious Command Execution via Web Server elasticSuspicious JetBrains TeamCity Child Process elasticSuspicious React Server Child Process elasticTelnet Authentication Bypass via User Environment Variable elasticUnusual Child Execution via Web Server elasticUnusual Child Process of dns.exe elasticUnusual Command Execution via Web Server elasticUnusual Exim4 Child Process elasticUnusual Process For MSSQL Service Accounts elasticWeb Server Exploitation Detected via Defend for Containers elasticWeb Shell Detection: Script Process Child of Common Web Processes elasticWindows Server Update Service Spawning Suspicious Processes	23	606
`sc-status`	`eq`	`200` sigmaCisco ASA FTD Exploit CVE-2020-3452 sigmaCVE-2021-41773 Exploitation Attempt sigmaCVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy) sigmaCVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver) sigmaCVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy sigmaCVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver sigmaGrafana Path Traversal Exploitation CVE-2021-43798 sigmaOWASSRF Exploitation Attempt Using Public POC - Proxy sigmaOWASSRF Exploitation Attempt Using Public POC - Webserver sigmaPotential CVE-2021-26084 Exploitation Attempt sigmaPotential CVE-2021-27905 Exploitation Attempt sigmaPotential Information Disclosure CVE-2023-43261 Exploitation - Proxy sigmaPotential Information Disclosure CVE-2023-43261 Exploitation - Web sigmaPotential OWASSRF Exploitation Attempt - Proxy sigmaPotential OWASSRF Exploitation Attempt - Webserver sigmaProxyLogon Reset Virtual Directories Based On IIS Log sigmaSitecore Pre-Auth RCE CVE-2021-42237 sigmaSuccessful IIS Shortname Fuzzing Scan sigmaZimbra Collaboration Suite Email Server Unauthenticated RCE	19	23
`Image`	`ends_with`	`\cmd.exe` sigmaCVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) sigmaCVE-2024-50623 Exploitation Attempt - Cleo sigmaExploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process sigmaExploited CVE-2020-10189 Zoho ManageEngine sigmaPotential CVE-2021-44228 Exploitation Attempt - VMware Horizon sigmaPotential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution sigmaPotential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) sigmaPotential Exploitation of GoAnywhere MFT Vulnerability sigmaRemote Access Tool - ScreenConnect Server Web Shell Execution sigmaSuspicious Child Process of SAP NetWeaver sigmaSuspicious Child Process Of SQL Server sigmaSuspicious CrushFTP Child Process sigmaSuspicious File Write to SharePoint Layouts Directory sigmaSuspicious Process By Web Server Process sigmaSuspicious Processes Spawned by WinRM sigmaWindows Suspicious Child Process from Node.js - React2Shell	16	130
`Image`	`ends_with`	`\powershell.exe` sigmaCVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) sigmaExploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process sigmaExploited CVE-2020-10189 Zoho ManageEngine sigmaPotential CVE-2021-44228 Exploitation Attempt - VMware Horizon sigmaPotential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution sigmaPotential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) sigmaPotential Exploitation of GoAnywhere MFT Vulnerability sigmaSuspicious Child Process of SAP NetWeaver sigmaSuspicious Child Process Of SQL Server sigmaSuspicious CrushFTP Child Process sigmaSuspicious File Write to SharePoint Layouts Directory sigmaSuspicious Process By Web Server Process sigmaSuspicious Processes Spawned by WinRM sigmaWindows Suspicious Child Process from Node.js - React2Shell	14	182
`Image`	`ends_with`	`\pwsh.exe` sigmaExploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process sigmaExploited CVE-2020-10189 Zoho ManageEngine sigmaPotential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) sigmaPotential Exploitation of GoAnywhere MFT Vulnerability sigmaSuspicious Child Process of SAP NetWeaver sigmaSuspicious Child Process Of SQL Server sigmaSuspicious CrushFTP Child Process sigmaSuspicious File Write to SharePoint Layouts Directory sigmaSuspicious Process By Web Server Process sigmaSuspicious Processes Spawned by WinRM sigmaWindows Suspicious Child Process from Node.js - React2Shell	11	168
`Image`	`ends_with`	`\bitsadmin.exe` sigmaExploited CVE-2020-10189 Zoho ManageEngine sigmaPotential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) sigmaSuspicious Child Process of SAP NetWeaver sigmaSuspicious Child Process Of SQL Server sigmaSuspicious Process By Web Server Process sigmaSuspicious Processes Spawned by WinRM sigmaWindows Suspicious Child Process from Node.js - React2Shell	7	29
`Image`	`ends_with`	`\powershell_ise.exe` sigmaExploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process sigmaPotential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) sigmaPotential Exploitation of GoAnywhere MFT Vulnerability sigmaSuspicious Child Process of SAP NetWeaver sigmaSuspicious CrushFTP Child Process sigmaSuspicious File Write to SharePoint Layouts Directory sigmaSuspicious Process By Web Server Process	7	41
`HttpRequestMethod`	`eq`	`GET` kustoApache - Apache 2.4.49 flaw CVE-2021-41773 kustoCloudflare - Multiple error requests from single source kustoCloudflare - Multiple error requests from single source kustoCloudflare - Unexpected client request kustoCloudflare - Unexpected client request kustoCloudflare - Unexpected URI kustoCloudflare - Unexpected URI kustoNGINX - Put file and get file from same IP address kustoOracle - Oracle WebLogic Exploit CVE-2021-2109 kustoOracle - Put file and get file from same IP address kustoTomcat - Put file and get file from same IP address	11	12
`process_name`	`eq`	`cmd.exe` elasticMicrosoft Exchange Worker Spawning Suspicious Processes elasticScreenConnect Server Spawning Suspicious Processes elasticSuspicious JetBrains TeamCity Child Process elasticSuspicious SolarWinds Web Help Desk Java Module Load or Child Process elasticWindows Server Update Service Spawning Suspicious Processes splunkWindows PaperCut NG Spawn Shell splunkWindows Shell Process from CrushFTP splunkWindows Suspicious React or Next.js Child Process splunkWindows WSUS Spawning Shell	9	77
`process_name`	`eq`	`powershell.exe` elasticMicrosoft Exchange Worker Spawning Suspicious Processes elasticScreenConnect Server Spawning Suspicious Processes elasticSuspicious JetBrains TeamCity Child Process elasticSuspicious SolarWinds Web Help Desk Java Module Load or Child Process elasticWindows Server Update Service Spawning Suspicious Processes splunkWindows PaperCut NG Spawn Shell splunkWindows Shell Process from CrushFTP splunkWindows WSUS Spawning Shell	8	104
`process_name`	`eq`	`pwsh.exe` elasticMicrosoft Exchange Worker Spawning Suspicious Processes elasticScreenConnect Server Spawning Suspicious Processes elasticSuspicious JetBrains TeamCity Child Process elasticWindows Server Update Service Spawning Suspicious Processes splunkWindows PaperCut NG Spawn Shell splunkWindows Shell Process from CrushFTP splunkWindows WSUS Spawning Shell	7	62
`EventType`	`eq`	`exec` elasticDeprecated - Unusual Command Execution from Web Server Parent elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticSuspicious Child Execution via Web Server elasticSuspicious Command Execution via Web Server elasticUnusual Child Execution via Web Server elasticUnusual Command Execution via Web Server elasticUnusual Exim4 Child Process elasticWeb Server Exploitation Detected via Defend for Containers	8	171
`EventType`	`eq`	`IntrusionEvent` splunkCisco Secure Firewall - High Priority Intrusion Classification splunkCisco Secure Firewall - Lumma Stealer Activity splunkCisco Secure Firewall - Oracle E-Business Suite Correlation splunkCisco Secure Firewall - Oracle E-Business Suite Exploitation splunkCisco Secure Firewall - React Server Components RCE Attempt splunkCisco Secure Firewall - Static Tundra Smart Install Abuse splunkCisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity	7	18
`HttpRequestMethod`	`in`	`POST` kustoApache - Put suspicious file kustoCloudflare - XSS probing pattern in request kustoCloudflare - XSS probing pattern in request kustoImperva - Forbidden HTTP request method in request kustoNGINX - Put file and get file from same IP address kustoOracle - Put file and get file from same IP address kustoOracle - Put suspicious file kustoTomcat - Put file and get file from same IP address	8	12
`HttpRequestMethod`	`in`	`PUT` kustoApache - Put suspicious file kustoCloudflare - XSS probing pattern in request kustoCloudflare - XSS probing pattern in request kustoImperva - Forbidden HTTP request method in request kustoNGINX - Put file and get file from same IP address kustoOracle - Put file and get file from same IP address kustoOracle - Put suspicious file kustoTomcat - Put file and get file from same IP address	8	12
`parent_process_name`	`eq`	`java` elasticDeprecated - Unusual Command Execution from Web Server Parent elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticPotential JAVA/JNDI Exploitation Attempt elasticSuspicious Child Execution via Web Server elasticSuspicious Command Execution via Web Server elasticUnusual Child Execution via Web Server elasticUnusual Command Execution via Web Server elasticWeb Server Exploitation Detected via Defend for Containers	8	8
`process_name`	`in`	`bash` elasticDeprecated - Unusual Command Execution from Web Server Parent elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticSuspicious Command Execution via Web Server elasticSuspicious React Server Child Process elasticUnusual Command Execution via Web Server elasticWeb Server Exploitation Detected via Defend for Containers splunkLinux Suspicious React or Next.js Child Process splunkWeb or Application Server Spawning a Shell	8	88
`process_name`	`in`	`dash` elasticDeprecated - Unusual Command Execution from Web Server Parent elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticSuspicious Command Execution via Web Server elasticSuspicious React Server Child Process elasticUnusual Command Execution via Web Server elasticWeb Server Exploitation Detected via Defend for Containers splunkLinux Suspicious React or Next.js Child Process splunkWeb or Application Server Spawning a Shell	8	78
`process_name`	`in`	`sh` elasticDeprecated - Unusual Command Execution from Web Server Parent elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticSuspicious Command Execution via Web Server elasticSuspicious React Server Child Process elasticUnusual Command Execution via Web Server elasticWeb Server Exploitation Detected via Defend for Containers splunkLinux Suspicious React or Next.js Child Process splunkWeb or Application Server Spawning a Shell	8	83
`process_name`	`in`	`zsh` elasticDeprecated - Unusual Command Execution from Web Server Parent elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticSuspicious Command Execution via Web Server elasticSuspicious React Server Child Process elasticUnusual Command Execution via Web Server elasticWeb Server Exploitation Detected via Defend for Containers splunkLinux Suspicious React or Next.js Child Process splunkWeb or Application Server Spawning a Shell	8	82
`process_name`	`in`	`ksh` elasticDeprecated - Unusual Command Execution from Web Server Parent elasticDeprecated - Unusual Process Spawned from Web Server Parent elasticSuspicious Command Execution via Web Server elasticUnusual Command Execution via Web Server elasticWeb Server Exploitation Detected via Defend for Containers splunkLinux Suspicious React or Next.js Child Process splunkWeb or Application Server Spawning a Shell	7	73
`sourcetype`	`eq`	`cisco:sfw:estreamer` splunkCisco Secure Firewall - High Priority Intrusion Classification splunkCisco Secure Firewall - Lumma Stealer Activity splunkCisco Secure Firewall - Oracle E-Business Suite Correlation splunkCisco Secure Firewall - Oracle E-Business Suite Exploitation splunkCisco Secure Firewall - React Server Components RCE Attempt splunkCisco Secure Firewall - Static Tundra Smart Install Abuse splunkCisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity	7	32
`CommandLine`	`contains`	`curl` sigmaAtlassian Confluence CVE-2022-26134 sigmaLinux Suspicious Child Process from Node.js - React2Shell sigmaPotential Atlassian Confluence CVE-2021-26084 Exploitation Attempt sigmaPotential Exploitation of GoAnywhere MFT Vulnerability sigmaSuspicious Child Process of SolarWinds WebHelpDesk sigmaWindows Suspicious Child Process from Node.js - React2Shell	6	17
`data_stream.dataset`	`eq`	`network_traffic.http` elasticInbound Connection to an Unsecure Elasticsearch Node elasticInitial Access via File Upload Followed by GET Request elasticPotential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940) elasticPotential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771) elasticPotential VIEWSTATE RCE Attempt on SharePoint/IIS elasticPotential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation	6	6
`event.category`	`in`	`network` elasticAccepted Default Telnet Port Connection elasticRDP (Remote Desktop Protocol) from the Internet elasticRPC (Remote Procedure Call) from the Internet elasticRPC (Remote Procedure Call) to the Internet elasticSMB (Windows File Sharing) Activity to the Internet elasticVNC (Virtual Network Computing) from the Internet	6	15
`event.category`	`in`	`network_traffic` elasticAccepted Default Telnet Port Connection elasticRDP (Remote Desktop Protocol) from the Internet elasticRPC (Remote Procedure Call) from the Internet elasticRPC (Remote Procedure Call) to the Internet elasticSMB (Windows File Sharing) Activity to the Internet elasticVNC (Virtual Network Computing) from the Internet	6	15
`http_method`	`eq`	`POST` splunkCisco SD-WAN - Arbitrary File Overwrite Exploitation Activity splunkHTTP Rapid POST with Mixed Status Codes splunkJetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 splunkNginx ConnectWise ScreenConnect Authentication Bypass splunkSuspicious Java Classes splunkWeb Spring4Shell HTTP Request Class Module	6	8

Exclusions (571 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`src_ip`	`cidr_match`	`10.0.0.0/8` sigmaFailed Logon From Public IP elasticOllama API Accessed from External Network kustoImperva - Request from unexpected IP address to admin panel kustoOCI - Inbound SSH connection kustoOracleDBAudit - Connection to database from external IP kustoPaloAlto - Inbound connection to high risk ports	6
`src_ip`	`cidr_match`	`127.0.0.0/8` sigmaFailed Logon From Public IP elasticOllama API Accessed from External Network kustoImperva - Request from unexpected IP address to admin panel kustoOCI - Inbound SSH connection kustoOracleDBAudit - Connection to database from external IP kustoPaloAlto - Inbound connection to high risk ports	6
`src_ip`	`cidr_match`	`169.254.0.0/16` sigmaFailed Logon From Public IP elasticOllama API Accessed from External Network kustoImperva - Request from unexpected IP address to admin panel kustoOCI - Inbound SSH connection kustoOracleDBAudit - Connection to database from external IP kustoPaloAlto - Inbound connection to high risk ports	6
`src_ip`	`cidr_match`	`172.16.0.0/12` sigmaFailed Logon From Public IP elasticOllama API Accessed from External Network kustoImperva - Request from unexpected IP address to admin panel kustoOCI - Inbound SSH connection kustoOracleDBAudit - Connection to database from external IP kustoPaloAlto - Inbound connection to high risk ports	6
`src_ip`	`cidr_match`	`192.168.0.0/16` sigmaFailed Logon From Public IP elasticOllama API Accessed from External Network kustoImperva - Request from unexpected IP address to admin panel kustoOCI - Inbound SSH connection kustoOracleDBAudit - Connection to database from external IP kustoPaloAlto - Inbound connection to high risk ports	6
`src_ip`	`in`	`10.0.0.0/8` elasticRDP (Remote Desktop Protocol) from the Internet elasticRPC (Remote Procedure Call) from the Internet elasticVNC (Virtual Network Computing) from the Internet splunkPotential Exposed SMB_RDP Port - Windows (Windows Event Log)	4
`src_ip`	`in`	`127.0.0.0/8` elasticRDP (Remote Desktop Protocol) from the Internet elasticRPC (Remote Procedure Call) from the Internet elasticVNC (Virtual Network Computing) from the Internet splunkPotential Exposed SMB_RDP Port - Windows (Windows Event Log)	4
`src_ip`	`in`	`169.254.0.0/16` elasticRDP (Remote Desktop Protocol) from the Internet elasticRPC (Remote Procedure Call) from the Internet elasticVNC (Virtual Network Computing) from the Internet splunkPotential Exposed SMB_RDP Port - Windows (Windows Event Log)	4
`src_ip`	`in`	`172.16.0.0/12` elasticRDP (Remote Desktop Protocol) from the Internet elasticRPC (Remote Procedure Call) from the Internet elasticVNC (Virtual Network Computing) from the Internet splunkPotential Exposed SMB_RDP Port - Windows (Windows Event Log)	4
`src_ip`	`in`	`192.168.0.0/16` elasticRDP (Remote Desktop Protocol) from the Internet elasticRPC (Remote Procedure Call) from the Internet elasticVNC (Virtual Network Computing) from the Internet splunkPotential Exposed SMB_RDP Port - Windows (Windows Event Log)	4
`src_ip`	`in`	`::1` elasticRDP (Remote Desktop Protocol) from the Internet elasticRPC (Remote Procedure Call) from the Internet elasticVNC (Virtual Network Computing) from the Internet splunkPotential Exposed SMB_RDP Port - Windows (Windows Event Log)	4
`dest_ip`	`in`	`10.0.0.0/8` elasticRPC (Remote Procedure Call) to the Internet elasticSMB (Windows File Sharing) Activity to the Internet splunkDetect Outbound LDAP Traffic	3
`dest_ip`	`in`	`100.64.0.0/10` elasticRPC (Remote Procedure Call) to the Internet elasticSMB (Windows File Sharing) Activity to the Internet splunkDetect Outbound LDAP Traffic	3
`dest_ip`	`in`	`127.0.0.0/8` elasticRPC (Remote Procedure Call) to the Internet elasticSMB (Windows File Sharing) Activity to the Internet splunkDetect Outbound LDAP Traffic	3
`dest_ip`	`in`	`169.254.0.0/16` elasticRPC (Remote Procedure Call) to the Internet elasticSMB (Windows File Sharing) Activity to the Internet splunkDetect Outbound LDAP Traffic	3

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Exploit Public-Facing Application `T1190`

Events covered

Authoring guide

Fields filtered most (355 distinct)

Top indicator values (3199 distinct)

Exclusions (571 distinct)

Rules under this technique

Sigma 146 rules

Elastic 50 rules

Splunk 118 rules

Kusto 172 rules

YARA-L 1 rule

Panther 29 rules

Keyboard shortcuts

Search operators

Exploit Public-Facing Application T1190

Events covered

Authoring guide

Fields filtered most (355 distinct)

Top indicator values (3199 distinct)

Exclusions (571 distinct)

Rules under this technique

Sigma 146 rules

Elastic 50 rules

Splunk 118 rules

Kusto 172 rules

YARA-L 1 rule

Panther 29 rules

Exploit Public-Facing Application `T1190`