1. Home
  2. Techniques
  3. Enterprise
  4. Server Software Component

Server Software Component

ID Name
T1505.001 SQL Stored Procedures
T1505.002 Transport Agent
T1505.003 Web Shell
T1505.004 IIS Components
T1505.005 Terminal Services DLL
T1505.006 vSphere Installation Bundles

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.[1]

ID: T1505
Sub-techniques:  T1505.001, T1505.002, T1505.003, T1505.004, T1505.005, T1505.006
Tactic: Persistence
Platforms: ESXi, Linux, Network Devices, Windows, macOS
Version: 1.5
Created: 28 June 2019
Last Modified: 24 October 2025
Version Permalink

Mitigations

ID Mitigation Description
M1047 Audit

Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.
M1046 Boot Integrity

Enabling secure boot allows validation of software and drivers during initial system boot.
M1045 Code Signing

Ensure all application component binaries are signed by the correct application developers.
M1042 Disable or Remove Feature or Program

Consider disabling software components from servers when possible to prevent abuse by adversaries.[2]
M1026 Privileged Account Management

Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
M1024 Restrict Registry Permissions

Consider using Group Policy to configure and block modifications to service and other critical server parameters in the Registry.[3]
M1018 User Account Management

Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify and/or add server software components.[4]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0547 Detection Strategy for T1505 - Server Software Component AN1507

Installation of malicious IIS/Apache/SQL server modules that later execute command-line interpreters or establish outbound connections.
AN1508

Abuse of extensible server modules (e.g., Apache, Nginx, Tomcat) to load rogue plugins that initiate bash, connect to C2, or spawn reverse shells.
AN1509

Malicious use of webserver plugins (e.g., for nginx, PHP, Node.js) that execute AppleScript or open network sockets.
AN1510

Use of ESXi web interface plugins or vSphere extensions to embed persistent malicious scripts or services.

References

  1. Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.
  2. Kondratiev, A. (n.d.). Disabling dangerous PHP functions. Retrieved July 26, 2021.
  1. Microsoft. (2018, February 17). Windows System Services Fundamentals. Retrieved March 28, 2022.
  2. NSA and ASD. (2020, April 3). Detect and Prevent Web Shell Malware. Retrieved July 23, 2021.