Not every protection is detection based, it can also be prevention by configuring your network to standards. This blog series (MITRE Hunting) will focus on each MITRE technique and tactics, its detection/prevention process.
MITRE Technique ID: T1190
Reference: Exploit Public-Facing Application, Technique T1190 – Enterprise | MITRE ATT&CK®
The next in line, is adversaries’ attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.
A flaw in the system could be a glitch, a bug, or a design flaw. These applications, which frequently take the form of websites, can also take the form of databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other programs with open sockets that can connect to the Internet, like web servers and associated services.
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container.
Comments on Detection & Prevention Mechanisms:
- Application isolation will restrict the target of an exploit’s access to other processes and system components.
- To prevent exploit traffic from reaching an application, web application firewalls can be used to restrict the exposure of the application.
- Use a DMZ or a different hosting architecture to divide servers and services that are accessible from the outside world from the rest of the network.
- By using least privilege for service accounts, you can restrict the access that an exploited process has to other parts of the system.
- Regular patch management and keeping software up-to-date
- Scheduled scans on external facing systems for vulnerabilities and establish methods to quickly fix systems when serious vulnerabilities are found.
Suggested Detection(MITRE):
| Data Source | Detects |
|---|---|
| Application Log | Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. |
| Network Traffic | Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection strings or known payloads. |
Possible detection/threat hunting rules:
Title: Multiple Suspicious Resp Codes Caused by Single Client
Description: Detects possible exploitation activity or bugs in a web application.
Author: 'Meena Rajendran'
Date: 12/15/2022
Tags:
Logsource: Web logs, IIS logs
Detection psuedo:
HTTP Status codes: '400', '401', '403', '500'
Timeframe: 10m
Condition: count() by client_ip > 10
Level: MediumTitle: Plain HTTP POST Exfiltrated Data
Description: Detect potential plain HTTP POST method data exfiltration.
Author: 'Meena Rajendran'
Date: 12/15/2022
Tags:
Logsource: Web logs, IIS logs
Detection psuedo:
HTTP Method: POST
Arguments/Commands(contains any): 'wermgr.exe', 'svchost.exe', 'name=\"proclist\"', 'ipconfig', 'name=\"sysinfo\"', 'et view'
Condition: HTTP Method and Arguments
Level: HighTitle: Suspicious Commandline using Compression Tools
Description: Detects suspicious command line arguments of common data compression tools.
Author: 'Meena Rajendran'
Date: 12/15/2022
Tags:
Logsource: EDR process creation logs, Windows Security process creation logs.
Detection psuedo:
OriginalFileName(contains any): '7z*.exe', '*rar.exe', '*Command*Line*RAR*'
CommandLine(contains any): '* -p*', '* -ta*', '* -tb*', '* -sdel*', '* -dw*', '* -hp*'
Condition: OriginalFileName and CommandLine
BenignPositives: Any ParentImage that contains 'C:\Program*'
Level: High
Oracle Writes 