Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1873: Analytic 1873

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.

ICSAN1873AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about detecting attempted software exploitation by looking for exploit artifacts in network traffic, especially with deep packet inspection and, where applicable, web application firewall observations. Its business value is in validating whether the organization can see exploitation attempts before they become an incident, while recognizing that failed exploits may still disrupt services by crashing or destabilizing targeted software.

Executive priority

Treat this as a coverage question for resilience and incident readiness: do critical environments have enough network and application-layer visibility to identify exploit attempts, and can teams distinguish blocked, failed, and potentially successful activity? For ICS environments, this matters because unstable or crashed software can create operational risk even when exploitation does not fully succeed. Leaders should ask whether DPI/WAF evidence is retained, reviewed, and usable during incident response and compliance discussions.

Technical view

SOC and IR teams should validate whether available tools can inspect traffic deeply enough to identify known exploit payloads or malformed inputs. Because no ATT&CK platforms, tactics, relationships, or formal detection logic are supplied, this should be treated as a detection strategy rather than a complete analytic rule. Practical validation should focus on whether DPI, network monitoring, and WAF data can expose exploit-like inputs and whether application or service instability can be correlated with suspicious traffic around the same time.

Likely telemetry

  • Deep packet inspection records or full/metadata packet capture where available
  • Network intrusion detection alerts for known exploit payloads or exploit-like traffic artifacts
  • Web Application Firewall logs for improper or malformed inputs attempting exploitation
  • Application, service, or process crash/instability logs that may indicate failed exploitation attempts
  • Time-correlated network and system events around suspected exploitation windows

Detection direction

  • Confirm whether DPI coverage exists for the relevant network paths; encrypted, uninspected, or segmented traffic may create blind spots.
  • Tune for known exploit payload artifacts and malformed input patterns, while accounting for benign scanners, vulnerability testing, and malformed but non-malicious client behavior as false-positive sources.
  • Correlate WAF or DPI findings with service instability or crashes, since unsuccessful exploitation may still leave operationally important evidence.
  • Validate retention and analyst access to packet, WAF, and crash evidence before an incident; this analytic depends heavily on tool availability and visibility.
  • Do not treat absence of alerts as proof of no exploitation, because the official description notes detection may be difficult depending on available tools.

Mitigation priorities

  • Prioritize visibility first: ensure critical traffic paths have appropriate DPI, network monitoring, or WAF logging where applicable.
  • Ensure incident responders can correlate exploit-traffic indicators with application or process instability.
  • Use findings from this analytic to inform vulnerability management prioritization for exposed or operationally important software.
  • Document monitoring coverage and known blind spots as audit and risk evidence, especially where ICS operational continuity is a concern.
Analyst notes and limits

The supplied ATT&CK object is an ICS detection analytic with a short description and no explicit detection logic, platforms, tactics, or relationship context. The strongest supported interpretation is a network/application-layer detection approach for software exploitation artifacts, not a complete rule or guaranteed detection method.

This take is limited to the official description and external reference provided. No active exploitation, actor attribution, affected platforms, specific software, or ATT&CK relationships are supplied. Local architecture, sensor placement, encryption, WAF/DPI capability, and log retention determine whether this analytic is actionable.

Official MITRE ATT&CK definition

Analytic 1873

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b198eeb6a522339b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b198eeb6a522…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1873
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use