Detection coverage in DCV across AWS, Azure and GCP for Exploit Public-Facing Application, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-04-24.
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets. On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers. Depending on the flaw being exploited, this may also involve Exploitation for Defense Evasion or Exploitation for Client Execution.
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the Cloud Instance Metadata API), exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.
Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.
Platforms: Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows.
DCV maps 75 detections across 3 cloud providers to T1190. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| Azure Policy | Azure | 19 | 0.88 |
| AWS Security Hub | AWS | 14 | 0.81 |
| Microsoft Defender for Cloud | Azure | 14 | 0.91 |
| AWS Config Rules | AWS | 13 | 0.65 |
| GCP Security Command Center | GCP | 6 | 0.82 |
| AWS Inspector | AWS | 5 | 0.87 |
| AWS GuardDuty | AWS | 2 | 0.75 |
| Azure Regulatory Compliance | Azure | 1 | 0.95 |
| GCP Chronicle | GCP | 1 | 0.90 |
CloudSigma ships 3 production-ready Sigma rules that detect T1190 across 3 platforms. Every rule below is validated against its source SIEM dialect before publication.
This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.
title: AWS Security Group Modification Exposing Public-Facing Services
id: cee86b4d-f883-48b7-8729-e56446c7ed2c
status: experimental
description: >
Detects modifications to AWS security group ingress rules that may expose
services to the internet. Adversaries may modify security groups to allow
inbound traffic from any source, creating attack surface for exploitation.
author: CloudSigma
date: 2026-02-06
references:
- https://attack.mitre.org/techniques/T1190/
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html
tags:
- attack.initial-access
- attack.t1190
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName:
- AuthorizeSecurityGroupIngress
- AuthorizeSecurityGroupEgress
condition: selection
falsepositives:
- Legitimate security group rule changes during application deployment
- Network administrators modifying firewall rules for authorized services
level: medium