GitHub Repo

T1190

Date: 2021-09-01 ID: cc9b266c-efc9-11eb-926b-550bf0943fbb Author: Michael Haag, Splunk Environment: attack_range Directory: T1190

Description

Manual generation of attack data related to ProxyShell.

MITRE ATT&CK Techniques

ID Technique Tactic
T1190 Exploit Public-Facing Application Initial Access

Environment Details

Field Value
Environment attack_range
Directory T1190
Test Date 2021-09-01

Datasets

The following datasets were collected during this attack simulation:

Exchange_events-Json

  • Path: /datasets/attack_techniques/T1190/exchange_events.json
  • Sourcetype: MSExchange:Management
  • Source: MSExchange:Management

The following detections in our security content repository use this attack data for testing:

Detection Name Type Source MITRE ATT&CK Analytic Story
PaperCut NG Suspicious Behavior Debug Log Hunting Endpoint T1190, T1133 PaperCut MF NG Vulnerability
Java Writing JSP File TTP Endpoint T1190, T1133 Spring4Shell CVE-2022-22965, Atlassian Confluence Server and Data Center CVE-2022-26134, SysAid On-Prem Software CVE-2023-47246 Vulnerability, SAP NetWeaver Exploitation
MOVEit Empty Key Fingerprint Authentication Attempt Hunting Endpoint T1190 MOVEit Transfer Authentication Bypass, Hellcat Ransomware
MOVEit Certificate Store Access Failure Hunting Endpoint T1190 MOVEit Transfer Authentication Bypass
Outbound Network Connection from Java Using Default Ports TTP Endpoint T1190, T1133 Log4Shell CVE-2021-44228
ConnectWise ScreenConnect Path Traversal Windows SACL TTP Endpoint T1190 ConnectWise ScreenConnect Vulnerabilities, Compromised Windows Host, Seashell Blizzard
Windows Shell Process from CrushFTP TTP Endpoint T1059.001, T1059.003, T1190, T1505 CrushFTP Vulnerabilities
Web or Application Server Spawning a Shell TTP Endpoint T1190, T1133 BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Cleo File Transfer Software, Data Destruction, Flax Typhoon, GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Microsoft SharePoint Vulnerabilities, Microsoft WSUS CVE-2025-59287, PHP-CGI RCE Attack on Japanese Organizations, ProxyNotShell, ProxyShell, SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities
Linux Java Spawning Shell TTP Deprecated T1190, T1133 Data Destruction, Spring4Shell CVE-2022-22965, Hermetic Wiper, Log4Shell CVE-2021-44228
Windows Identify PowerShell Web Access IIS Pool Hunting Endpoint T1190 CISA AA24-241A
ConnectWise ScreenConnect Path Traversal TTP Endpoint T1190 ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard
Windows PaperCut NG Spawn Shell TTP Endpoint T1059, T1190, T1133 PaperCut MF NG Vulnerability, Compromised Windows Host
PaperCut NG Remote Web Access Attempt TTP Web T1190, T1133 PaperCut MF NG Vulnerability
Hunting for Log4Shell Hunting Web T1190, T1133 Log4Shell CVE-2021-44228, CISA AA22-320A
Windows IIS Server PSWA Console Access Hunting Web T1190 CISA AA24-241A
Web Remote ShellServlet Access TTP Web T1190 CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, GhostRedirector IIS Module and Rungan Backdoor
Web Spring4Shell HTTP Request Class Module TTP Web T1190, T1133 Spring4Shell CVE-2022-22965
SAP NetWeaver Visual Composer Exploitation Attempt Hunting Web T1190 SAP NetWeaver Exploitation
Log4Shell JNDI Payload Injection with Outbound Connection Anomaly Web T1190, T1133 Log4Shell CVE-2021-44228, CISA AA22-320A
Log4Shell JNDI Payload Injection Attempt Anomaly Web T1190, T1133 Log4Shell CVE-2021-44228, CISA AA22-257A, CISA AA22-320A
JetBrains TeamCity Authentication Bypass CVE-2024-27198 TTP Web T1190 JetBrains TeamCity Vulnerabilities
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 TTP Web T1190 JetBrains TeamCity Vulnerabilities, Hellcat Ransomware
Tomcat Session Deserialization Attempt Anomaly Web T1190, T1505.003 Apache Tomcat Session Deserialization Attacks
Tomcat Session File Upload Attempt Anomaly Web T1190, T1505.003 Apache Tomcat Session Deserialization Attacks
Cisco IOS XE Implant Access TTP Web T1190 Cisco IOS XE Software Web Management User Interface vulnerability
Adobe ColdFusion Access Control Bypass TTP Web T1190 Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
Juniper Networks Remote Code Execution Exploit Detection TTP Web T1190, T1105, T1059 Juniper JunOS Remote Code Execution
Adobe ColdFusion Unauthenticated Arbitrary File Read TTP Web T1190 Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
HTTP Duplicated Header Anomaly Web T1071.001, T1190 HTTP Request Smuggling
HTTP Possible Request Smuggling TTP Web T1071.001 HTTP Request Smuggling
Ivanti EPM SQL Injection Remote Code Execution TTP Web T1190 Ivanti EPM Vulnerabilities, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware
Spring4Shell Payload URL Request TTP Web T1133, T1190, T1505.003 Spring4Shell CVE-2022-22965
Web JSP Request via URL TTP Web T1133, T1190, T1505.003 Spring4Shell CVE-2022-22965, Earth Alux
Ivanti Connect Secure Command Injection Attempts TTP Web T1190 Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 TTP Web T1190 Confluence Data Center and Confluence Server Vulnerabilities
Ivanti Connect Secure SSRF in SAML Component TTP Web T1190 Ivanti Connect Secure VPN Vulnerabilities
Windows Exchange Autodiscover SSRF Abuse TTP Web T1190, T1133 ProxyShell, BlackByte Ransomware, ProxyNotShell, Seashell Blizzard
JetBrains TeamCity RCE Attempt TTP Web T1190 JetBrains TeamCity Unauthenticated RCE, CISA AA23-347A, JetBrains TeamCity Vulnerabilities
ProxyShell ProxyNotShell Behavior Detected Correlation Web T1190, T1133 ProxyShell, ProxyNotShell, Seashell Blizzard
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 TTP Web T1190 JetBrains TeamCity Vulnerabilities
Windows SharePoint Spinstall0 GET Request TTP Web T1190, T1505.003, T1552 Microsoft SharePoint Vulnerabilities
WS FTP Remote Code Execution TTP Web T1190 WS FTP Server Critical Vulnerabilities
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint TTP Web T1190 Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A
VMWare Aria Operations Exploit Attempt TTP Web T1133, T1190, T1210, T1068 VMware Aria Operations vRealize CVE-2023-20887
Nginx ConnectWise ScreenConnect Authentication Bypass TTP Web T1190 ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard, Scattered Lapsus$ Hunters, Hellcat Ransomware
Ivanti Sentry Authentication Bypass TTP Web T1190 Ivanti Sentry Authentication Bypass CVE-2023-38035
Microsoft SharePoint Server Elevation of Privilege TTP Web T1068 Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
Fortinet Appliance Auth bypass TTP Web T1190, T1133 CVE-2022-40684 Fortinet Appliance Auth bypass
Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure Anomaly Web T1190 Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 TTP Web T1190, T1133 Ivanti EPMM Remote Unauthenticated Access
Web Spring Cloud Function FunctionRouter TTP Web T1190, T1133 Spring4Shell CVE-2022-22965
Windows SharePoint ToolPane Endpoint Exploitation Attempt TTP Web T1190, T1505.003 Microsoft SharePoint Vulnerabilities
F5 TMUI Authentication Bypass TTP Web N/A F5 Authentication Bypass with TMUI
HTTP Request to Reserved Name on IIS Server TTP Web T1071.001, T1190 HTTP Request Smuggling
Confluence CVE-2023-22515 Trigger Vulnerability TTP Web T1190 CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
Jenkins Arbitrary File Read CVE-2024-23897 TTP Web T1190 Jenkins Server Vulnerabilities, Hellcat Ransomware
Citrix ADC Exploitation CVE-2023-3519 Hunting Web T1190 Citrix Netscaler ADC CVE-2023-3519, CISA AA24-241A
Confluence Data Center and Server Privilege Escalation TTP Web T1190 CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 TTP Web T1190, T1133 Fortinet FortiNAC CVE-2022-39952, Hellcat Ransomware
Ivanti Connect Secure System Information Access via Auth Bypass Anomaly Web T1190 Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A
Citrix ShareFile Exploitation CVE-2023-24489 Hunting Web T1190 Citrix ShareFile RCE CVE-2023-24489
Java Class File download by Java User Agent TTP Web T1190 Log4Shell CVE-2021-44228
Exploit Public Facing Application via Apache Commons Text Anomaly Web T1133, T1190, T1505.003 Text4Shell CVE-2022-42889
Citrix ADC and Gateway Unauthorized Data Disclosure TTP Web T1190 Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966, Scattered Lapsus$ Hunters
Confluence Unauthenticated Remote Code Execution CVE-2022-26134 TTP Web T1505, T1190, T1133 Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities
CrushFTP Authentication Bypass Exploitation TTP Web T1190, T1059.003, T1059.001 CrushFTP Vulnerabilities, Hellcat Ransomware
CrushFTP Max Simultaneous Users From IP Anomaly Web T1110.001, T1110.004 CrushFTP Vulnerabilities
HTTP Rapid POST with Mixed Status Codes Anomaly Web T1071.001, T1190, T1595 HTTP Request Smuggling
ConnectWise ScreenConnect Authentication Bypass TTP Web T1190 ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard
WordPress Bricks Builder plugin RCE TTP Web T1190 WordPress Vulnerabilities, Hellcat Ransomware
VMware Workspace ONE Freemarker Server-side Template Injection Anomaly Web T1190, T1133 VMware Server Side Injection and Privilege Escalation
VMware Server Side Template Injection Hunt Hunting Web T1190, T1133 VMware Server Side Injection and Privilege Escalation
HTTP Suspicious Tool User Agent Anomaly Web T1071.001 HTTP Request Smuggling
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 TTP Web T1190, T1133 Ivanti EPMM Remote Unauthenticated Access
Ivanti VTM New Account Creation TTP Application T1190 Ivanti Virtual Traffic Manager CVE-2024-7593, Scattered Lapsus$ Hunters, Hellcat Ransomware
CrushFTP Server Side Template Injection TTP Application T1190 CrushFTP Vulnerabilities, Hellcat Ransomware
Cisco Smart Install Oversized Packet Detection TTP Network T1190 Cisco Smart Install Remote Code Execution CVE-2018-0171
Cisco Smart Install Port Discovery and Status TTP Network T1190 Scattered Lapsus$ Hunters, Cisco Smart Install Remote Code Execution CVE-2018-0171
Cisco TFTP Server Configuration for Data Exfiltration TTP Network T1567, T1005 Cisco Smart Install Remote Code Execution CVE-2018-0171
Cisco Configuration Archive Logging Analysis Hunting Network T1562.001, T1098, T1505.003 Cisco Smart Install Remote Code Execution CVE-2018-0171
Cisco IOS Suspicious Privileged Account Creation Anomaly Network T1136, T1078 Cisco Smart Install Remote Code Execution CVE-2018-0171
Cisco Network Interface Modifications Anomaly Network T1556, T1021, T1133 Cisco Smart Install Remote Code Execution CVE-2018-0171
Cisco SNMP Community String Configuration Changes Anomaly Network T1562.001, T1040, T1552 Cisco Smart Install Remote Code Execution CVE-2018-0171
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 TTP Network T1190, T1133 F5 BIG-IP Vulnerability CVE-2022-1388, CISA AA24-241A

Usage Instructions

Replay with Splunk Attack Data

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1190/exchange_events.json --index attack_data

Manual Import

  1. Download the dataset files from the paths listed above
  2. Configure your Splunk instance with the appropriate sourcetypes
  3. Import the logs using the Splunk Add Data wizard

Related Content

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0