Skip to content

DET0547 Detection Strategy for T1505 - Server Software Component

Item Value
ID DET0547
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1505 (Server Software Component)

Analytics

Windows

AN1507

Installation of malicious IIS/Apache/SQL server modules that later execute command-line interpreters or establish outbound connections.

Log Sources
Data Component Name Channel
Scheduled Job Creation (DC0001) WinEventLog:Security EventCode=4698
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Application Log Content (DC0038) WinEventLog:Application Unusual DLL/plugin registration for IIS/SQL/Apache or unexpected error logs
Mutable Elements
Field Description
TimeWindow Time delta between module install and process execution (e.g., persistence delay).
ParentProcessName Custom server wrapper processes or renamed webserver processes may require tuning.

Linux

AN1508

Abuse of extensible server modules (e.g., Apache, Nginx, Tomcat) to load rogue plugins that initiate bash, connect to C2, or spawn reverse shells.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Application Log Content (DC0038) linux:syslog Module registration or stacktrace logs indicating segmentation faults or unknown module errors
Network Traffic Flow (DC0078) NSM:Flow Outbound connections from web server binaries (apache2, nginx, php-fpm) to unknown external IPs
Mutable Elements
Field Description
ServerBinaryPath Alternate install paths like /opt/httpd or user-compiled binaries
OutboundPortRange Tunable to match expected versus suspicious outbound traffic patterns

macOS

AN1509

Malicious use of webserver plugins (e.g., for nginx, PHP, Node.js) that execute AppleScript or open network sockets.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog Script interpreter invoked by nginx/apache worker process
Network Traffic Content (DC0085) macos:unifiedlog Web server process initiating outbound TCP connections not tied to normal server traffic
Mutable Elements
Field Description
ParentBinaryPath If homebrew or manually compiled nginx/httpd used, baseline accordingly.

ESXi

AN1510

Use of ESXi web interface plugins or vSphere extensions to embed persistent malicious scripts or services.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) esxi:hostd New extension/module install with unknown vendor ID
Command Execution (DC0064) esxi:vmkernel Unexpected restarts of management agents or shell access
Mutable Elements
Field Description
PluginVendorName Whitelist known vendor plug-in names for extension correlation
AccessVector Limit exposure of plugin installation via HTTPS or SSH