T1505: Server Software Component
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
supply_chain: PT-CR-1934: SupplyChain_TeamCity_Plugin_Modify: A plugin was used. Attackers can manipulate TeamCity plugins to upload malicious code pt_application_firewall: PT-CR-1916: PTAF_Webshell_Detected: PT AF detected an attempt to upload a web shell to a web server mitre_attck_execution: PT-CR-651: Suspicious_Webscript: A user attempted to start an unknown script unix_mitre_attck_persistence: PT-CR-1027: Unix_Webshell_Created: A possible attempt to upload a web shell on a Unix web server mitre_attck_persistence: PT-CR-266: Windows_Webshell_Created: A potential attempt to deploy a web shell on a Windows web server is detected
Subtechniques
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | Monitor for third-party application logging, messaging, and/or other artifacts that may abuse legitimate extensible development features of servers to establish persistent access to systems. Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes made to files that may abuse legitimate extensible development features of servers to establish persistent access to systems. |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Process monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
---|
Mitigation
ID | M1018 | Name | User Account Management | Description | Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify and/or add server software components. |
---|
ID | M1024 | Name | Restrict Registry Permissions | Description | Consider using Group Policy to configure and block modifications to service and other critical server parameters in the Registry. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
---|
ID | M1042 | Name | Disable or Remove Feature or Program | Description | Consider disabling software components from servers when possible to prevent abuse by adversaries. |
---|
ID | M1045 | Name | Code Signing | Description | Ensure all application component binaries are signed by the correct application developers. |
---|
ID | M1047 | Name | Audit | Description | Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made. |
---|