Server Software Component

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.

ID: T1505
Sub-techniques:  T1505.001, T1505.002, T1505.003
Tactic: Persistence
Platforms: Linux, Windows, macOS
Permissions Required: Administrator, SYSTEM, root
Data Sources: Application Log: Application Log Content, File: File Creation, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Version: 1.1
Created: 28 June 2019
Last Modified: 16 September 2020


ID Mitigation Description
M1047 Audit

Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.

M1045 Code Signing

Ensure all application component binaries are signed by the correct application developers.

M1026 Privileged Account Management

Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.


Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.

Process monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. [1]