Ctrl+K

T1505 - Server Software Component

T1505 - Server Software Component#

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)

Atomic Tests:#

Currently, no tests are available for this technique.

Detection#

Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.

Process monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)

Shield Active Defense#

Application Diversity#

Present the adversary with a variety of installed applications and services.

Application diversity is presenting multiple software targets to the adversary. On a single target system, defenders can configure multiple different services or user software applications. On a target network, defenders can present systems with a variety of operating systems, operating system versions, applications, and services.

Opportunity#

There is an opportunity to study the adversary and collect first-hand observations about them and their tools.

Use Case#

A defender can install decoy services that have extensible capabilities.

Procedures#

Use a mix of vulnerable and nonvulnerable software on a system to allow you to see what exploits the adversary leverages in their attacks. Install Anti-virus or other end-point detection tools on systems to see if an adversary takes note of them and if so, how they react.

Contents