T1505 Server Software Component
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.1
| Item | Value |
|---|---|
| ID | T1505 |
| Sub-techniques | T1505.001, T1505.002, T1505.003, T1505.004, T1505.005, T1505.006 |
| Tactics | TA0003 |
| Platforms | ESXi, Linux, Network Devices, Windows, macOS |
| Version | 1.5 |
| Created | 28 June 2019 |
| Last Modified | 24 October 2025 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made. |
| M1046 | Boot Integrity | Enabling secure boot allows validation of software and drivers during initial system boot. |
| M1045 | Code Signing | Ensure all application component binaries are signed by the correct application developers. |
| M1042 | Disable or Remove Feature or Program | Consider disabling software components from servers when possible to prevent abuse by adversaries.4 |
| M1026 | Privileged Account Management | Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
| M1024 | Restrict Registry Permissions | Consider using Group Policy to configure and block modifications to service and other critical server parameters in the Registry.3 |
| M1018 | User Account Management | Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify and/or add server software components.5 |
References
-
Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022. ↩
-
US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. ↩
-
Microsoft. (2018, February 17). Windows System Services Fundamentals. Retrieved March 28, 2022. ↩
-
Kondratiev, A. (n.d.). Disabling dangerous PHP functions. Retrieved July 26, 2021. ↩
-
NSA and ASD. (2020, April 3). Detect and Prevent Web Shell Malware. Retrieved July 23, 2021. ↩