Skip to content

T1505 Server Software Component

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.1

Item Value
ID T1505
Sub-techniques T1505.001, T1505.002, T1505.003, T1505.004, T1505.005
Tactics TA0003
Platforms Linux, Network, Windows, macOS
Version 1.4
Created 28 June 2019
Last Modified 19 October 2022


ID Mitigation Description
M1047 Audit Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.
M1045 Code Signing Ensure all application component binaries are signed by the correct application developers.
M1042 Disable or Remove Feature or Program Consider disabling software components from servers when possible to prevent abuse by adversaries.4
M1026 Privileged Account Management Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
M1024 Restrict Registry Permissions Consider using Group Policy to configure and block modifications to service and other critical server parameters in the Registry.5
M1018 User Account Management Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify and/or add server software components.3


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0022 File File Creation
DS0029 Network Traffic Network Traffic Content
DS0009 Process Process Creation