Adversary sends crafted HTTP/S (or other service) input to an Internet-facing app (IIS/ASP.NET, API, device portal). Chain: (1) abnormal request patterns to public endpoint → (2) elevated 4xx/5xx or unusual methods/paths → (3) server process (w3wp.exe/other service) spawns shell/LOLbins or loads non-standard modules → (4) optional outbound callback from the host/container.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | ApplicationLog:IIS | IIS W3C logs in C:\inetpub\logs\LogFiles\W3SVC* (spikes in 5xx, RCE/SQLi/path traversal/JNDI patterns) |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| PublicVIPs | List of public IPs/hostnames that front apps; used to scope web log and Zeek/proxy data. |
| SuspiciousPatterns | Regex set for exploit-like inputs (../, union select, cmd=, ${jndi:, rO0AB (Java serialization), %00, ${env:}, ${${::-j}ndi}). |
| ErrorRateThreshold | Spike threshold for HTTP status 5xx/4xx per client or URI (e.g., >5 in 5m). |
| TimeWindow | Correlation horizon between request, error, process spawn, and egress (e.g., 15 minutes). |
| AllowedChildList | Known child processes of app pools (e.g., msbuild.exe in CI) to reduce false positives. |
Adversary exploits Apache/Nginx/app servers. Chain: (1) suspicious requests in access logs → (2) spike of 5xx or WAF blocks → (3) web server or interpreter (apache2/nginx/php-fpm/node/python) spawns /bin/sh, curl, wget, socat, or writes webshell → (4) outbound callback.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | ApplicationLog:WebServer | /var/log/httpd/access_log, /var/log/apache2/access.log, /var/log/nginx/access.log with exploit indicators and burst errors |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Traffic Content (DC0085) | NSM:Flow | HTTP payloads with SQLi/LFI/JNDI/deserialization indicators |
| Field | Description |
|---|---|
| WebProcList | server/interpreter names to watch (apache2, httpd, nginx, php-fpm, uwsgi, gunicorn, node). |
| ChildToolList | post-exploitation binaries (sh, bash, curl, wget, python, perl, socat, nc). |
| BurstThreshold | Rate of errors/requests per src_ip/uri to flag reconnaissance/exploit spray. |
| TimeWindow | Exec/network correlation window. |
Adversary targets macOS-hosted public services (e.g., nginx, node). Chain: suspicious inbound request → service crash/5xx → service spawns shell or writes file → new outbound connection.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | macos:unifiedlog | App/web server logs ingested via unified logging or filebeat (nginx/apache/node). |
| Process Creation (DC0032) | macos:unifiedlog | exec events where web process starts a shell/tooling |
| Network Traffic Content (DC0085) | NSM:Flow | outbound egress from web host after suspicious request |
| Field | Description |
|---|---|
| ServiceList | Names/paths of public daemons on macOS (httpd, nginx, node, java). |
| TimeWindow | Correlation window for request → exec → egress. |
Adversary exploits containerized app via ingress or service. Chain: (1) suspicious request in ingress/app logs → (2) container process spawns a shell/exec/sidecar (kubectl exec/docker exec) → (3) egress to Internet or metadata service (169.254.169.254).
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | ApplicationLog:Ingress | Kubernetes NGINX/Envoy ingress controller logs with anomalous payloads and 5xx spikes |
| Process Creation (DC0032) | docker:events | Docker/Kubernetes audit of exec/attach (kubectl exec) or unexpected child processes inside container |
| Network Traffic Content (DC0085) | NSM:Flow | Requests towards cloud metadata or command & control from pod IPs |
| Field | Description |
|---|---|
| IngressNamespaces | Namespaces that are Internet-facing. |
| MetadataEndpoints | Cloud metadata IPs/hostnames for exfil of credentials. |
| TimeWindow | Join period between ingress request and pod exec/egress. |
Adversary targets cloud-hosted public endpoints. Chain: (1) ALB/ELB/Cloud LB logs show exploit-like inputs or error spikes → (2) workload spawns shell or reaches metadata API → (3) egress to new external hosts.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | ALB:HTTPLogs | AWS ALB/ELB/GCP/Azure Application Gateway HTTP logs with unusual methods, long URIs, serialized payloads, 4xx/5xx bursts |
| Network Traffic Flow (DC0078) | AWS:VPCFlowLogs | VPC/NSG flow logs for pod/instance egress to Internet or metadata |
| Field | Description |
|---|---|
| LBProjects | Cloud accounts/subscriptions/regions to include. |
| ErrorBurst | 5xx/4xx per client threshold. |
Adversary exploits exposed OpenSLP on ESXi or vCenter public endpoints. Chain: inbound request pattern to mgmt service → hostd/vpxd error/crash/restart → unexpected process behavior or datastore access → outbound callback.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | esxi:hostd | /var/log/hostd.log anomalies (faults, crashes, restarts) around inbound connections |
| Network Traffic Content (DC0085) | NSM:Flow | Connections to TCP 427 (SLP) or vCenter web services from untrusted sources |
| Field | Description |
|---|---|
| MgmtCIDR | Only trusted admin networks should reach ESXi/vCenter. |
| TimeWindow | Join errors and inbound flows. |
Adversary exploits public admin services on routers/firewalls/switches. Chain: anomalous HTTP/SNMP/SmartInstall inputs → device syslog errors/restarts → config changes/CLI spawn → egress to attacker C2.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | networkdevice:controlplane | Syslog from edge devices with HTTP 500s on mgmt portal, SmartInstall events, unexpected CLI commands |
| Network Traffic Content (DC0085) | NSM:Flow | NetFlow/sFlow for odd egress to Internet from mgmt plane |
| Field | Description |
|---|---|
| MgmtPorts | List of admin services to watch (8443, 443, 161/udp, 4786, 22). |
| TrustedAdmins | Admin source ranges to allow. |