T1190
Initial Access
Exploit Public-Facing Application
Public-facing application risk should be reviewed through patch posture, web logs, and unexpected authentication attempts.
Loading ThreatScope content
Sandworm is represented as a disruptive and espionage-capable actor profile with emphasis on critical infrastructure awareness and defensive monitoring.
Motivation and analyst context
Sandworm is represented as a disruptive and espionage-capable actor profile with emphasis on critical infrastructure awareness and defensive monitoring.
Sectors and regions in this local profile
Mapped behavior for defensive monitoring
Public-facing application risk should be reviewed through patch posture, web logs, and unexpected authentication attempts.
Destructive behavior is described only at a defensive level. Monitor for abnormal file deletion, service disruption, and backup access changes.
Analysts should investigate suspicious security tool tampering, log gaps, or policy changes.
Families and tooling names for defensive awareness
Tracked as a defensive family label for critical infrastructure awareness.
Included only as a high-level reporting label for defensive monitoring concepts.
Safe, defanged, or documentation-range indicators
| Type | Value | Confidence | Note | Action |
|---|---|---|---|---|
Domain | service-health-check[.]example | Medium | Defanged example domain for safe critical services reporting. | |
IP | 198.51.100.91 | Medium | Documentation-range IP address for mock infrastructure. | |
File | system-health-update.bin | Low | Mock file name used for table demonstration only. |
Recent campaign activity from local mock data
Mock note focusing on public-facing service alerts, backup validation, and abnormal administrative activity.
Analyst scenario covering suspicious network device access and configuration changes.
Safe SOC analyst guidance for monitoring and triage