1. Home
  2. ATT&CK Techniques
  3. T1505 Server Software Component

T1505 Server Software Component

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-05.02 Privileged system access Mitigates T1505 Server Software Component
Comments
This diagnostic statement protects against Server Software Component through the use of privileged account management and the use of multi-factor authentication.
References
    DE.CM-09.01 Software and data integrity checking Mitigates T1505 Server Software Component
    Comments
    This diagnostic statement protects against Server Software Component through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
    References
      DE.CM-06.02 Third-party access monitoring Mitigates T1505 Server Software Component
      Comments
      This diagnostic statement protects against Server Software Component through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
      References
        PR.PS-06.05 Testing and validation strategy Mitigates T1505 Server Software Component
        Comments
        This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
        References
          PR.AA-05.01 Access privilege limitation Mitigates T1505 Server Software Component
          Comments
          This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
          References
            PR.PS-01.03 Configuration deviation Mitigates T1505 Server Software Component
            Comments
            This diagnostic statement provides protection from Server Software Component through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
            References
              PR.IR-01.06 Production environment segregation Mitigates T1505 Server Software Component
              Comments
              This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
              References
                PR.AA-01.01 Identity and credential management Mitigates T1505 Server Software Component
                Comments
                This diagnostic statement protects against Server Software Component through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                References

                  NIST 800-53 Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  CM-06 Configuration Settings mitigates T1505 Server Software Component
                  CM-05 Access Restrictions for Change mitigates T1505 Server Software Component
                  SA-10 Developer Configuration Management mitigates T1505 Server Software Component
                  SC-16 Transmission of Security and Privacy Attributes mitigates T1505 Server Software Component
                  SI-14 Non-persistence mitigates T1505 Server Software Component
                  CM-11 User-installed Software mitigates T1505 Server Software Component
                  SR-11 Component Authenticity mitigates T1505 Server Software Component
                  SR-04 Provenance mitigates T1505 Server Software Component
                  SR-05 Acquisition Strategies, Tools, and Methods mitigates T1505 Server Software Component
                  RA-05 Vulnerability Monitoring and Scanning mitigates T1505 Server Software Component
                  CM-08 System Component Inventory mitigates T1505 Server Software Component
                  SI-07 Software, Firmware, and Information Integrity mitigates T1505 Server Software Component
                  AC-16 Security and Privacy Attributes mitigates T1505 Server Software Component
                  CM-02 Baseline Configuration mitigates T1505 Server Software Component
                  CM-02 Baseline Configuration mitigates T1505 Server Software Component
                  SA-11 Developer Testing and Evaluation mitigates T1505 Server Software Component
                  IA-02 Identification and Authentication (Organizational Users) mitigates T1505 Server Software Component
                  SI-04 System Monitoring mitigates T1505 Server Software Component
                  AC-02 Account Management mitigates T1505 Server Software Component
                  AC-03 Access Enforcement mitigates T1505 Server Software Component
                  AC-05 Separation of Duties mitigates T1505 Server Software Component
                  AC-06 Least Privilege mitigates T1505 Server Software Component

                  VERIS Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505 Server Software Component
                  action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505 Server Software Component

                  Azure Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations technique_scores T1505 Server Software Component
                  Comments
                  This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
                  References
                  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-ai
                  alerts_for_linux_machines Alerts for Linux Machines technique_scores T1505 Server Software Component
                  Comments
                  This control provides coverage for the only sub-technique this control is relevant for, Web Shell, but that coverage is Minimal.
                  References
                  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-linux
                  azure_policy Azure Policy technique_scores T1505 Server Software Component
                  Comments
                  This control can protect against abuse of server software components for persistence.
                  References
                  1. https://learn.microsoft.com/en-us/azure/governance/policy/overview
                  2. https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#api-for-fhir
                  defender_for_azure_sql_databases Microsoft Defender for Azure SQL Databases technique_scores T1505 Server Software Component
                  Comments
                  This control can protect against abuse of server software components for persistence.
                  References
                  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-sql-introduction

                  GCP Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  google_secops Google Security Operations technique_scores T1505 Server Software Component
                  Comments
                  Google Security Ops is able to trigger alerts based off suspicious events and command line arguments that could indicate an adversary tampering with system components. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/detection_of_com_hijacking.yaral
                  References
                  1. ['https://cloud.google.com/security/products/security-operations'
                  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
                  3. 'https://github.com/chronicle/detection-rules']

                  ATT&CK Subtechniques

                  Technique ID Technique Name Number of Mappings
                  T1505.002 Transport Agent 29
                  T1505.005 Terminal Services DLL 16
                  T1505.003 Web Shell 16
                  T1505.004 IIS Components 30
                  T1505.001 SQL Stored Procedures 23