Last reviewed:
T1190 is the cloud-era attack pattern behind Log4Shell and the Confluence RCEs: most internet-facing breach reports of recent years involve it. DCV ships dense T1190 coverage anchored by Azure WAF policies, GCP PUBLIC_SQL_INSTANCE, and GuardDuty's MetadataDNSRebind for the post-exploitation IMDS-reflection pattern. When a fresh CVE drops for an exposed cloud service, CloudSigma turns the advisory into a Sigma rule before your SOC finishes triaging the news. T1190 is the first technique your detection coverage must address.
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets. On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers. Depending on the flaw being exploited, this may also involve Exploitation for Stealth or Exploitation for Client Execution.
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the Cloud Instance Metadata API), exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.
Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.
Platforms: Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows.
DCV maps 75 detections across 3 cloud providers to T1190. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| Azure Policy | Azure | 19 | 0.88 |
| AWS Security Hub | AWS | 14 | 0.81 |
| Microsoft Defender for Cloud | Azure | 14 | 0.91 |
| AWS Config Rules | AWS | 13 | 0.65 |
| GCP Security Command Center | GCP | 6 | 0.82 |
| AWS Inspector | AWS | 5 | 0.87 |
| AWS GuardDuty | AWS | 2 | 0.75 |
| Azure Regulatory Compliance | Azure | 1 | 0.95 |
| GCP Chronicle | GCP | 1 | 0.90 |
CloudSigma has coverage metadata for 75 T1190 rules across 4 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1190, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1190 is the cloud-era attack pattern behind Log4Shell and the Confluence RCEs: most internet-facing breach reports of recent years involve it. DCV ships dense T1190 coverage anchored by Azure WAF policies, GCP PUBLIC_SQL_INSTANCE, and GuardDuty's MetadataDNSRebind for the post-exploitation IMDS-reflection pattern. When a fresh CVE drops for an exposed cloud service, CloudSigma turns the advisory into a Sigma rule before your SOC finishes triaging the news. T1190 is the first technique your detection coverage must address.
DCV maps 75 cloud-native detections to T1190 across 3 cloud providers, drawn from AWS Config Rules, AWS GuardDuty, AWS Inspector, AWS Security Hub, Azure Policy, Azure Regulatory Compliance, GCP Chronicle, GCP Security Command Center and Microsoft Defender for Cloud.
T1190 is part of MITRE ATT&CK TA0001 Initial Access: How adversaries get into the environment.
CloudSigma ships 11 validated Sigma rules for T1190 across AWS CloudTrail, Azure Activity, GCP Audit Logs and ModSecurity. Each rule is validated against its source SIEM dialect before publication.