Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Backdoor | Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. | related-to | T1505 | Server Software Component | |
| action.malware.variety.Backdoor or C2 | Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. | related-to | T1505 | Server Software Component |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1505 | Server Software Component |
Comments
Google Security Ops is able to trigger alerts based off suspicious events and command line arguments that could indicate an adversary tampering with system components.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/detection_of_com_hijacking.yaral
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1505.002 | Transport Agent | 25 |
| T1505.005 | Terminal Services DLL | 14 |
| T1505.003 | Web Shell | 13 |
| T1505.004 | IIS Components | 24 |
| T1505.001 | SQL Stored Procedures | 17 |