Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)
Platforms
Sub-Techniques (6)
SQL Stored Procedures
T1505.002Transport Agent
T1505.003Web Shell
T1505.004IIS Components
T1505.005Terminal Services DLL
T1505.006vSphere Installation Bundles
Mitigations (7)
Code SigningM1045
Ensure all application component binaries are signed by the correct application developers.
AuditM1047
Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.
Restrict Registry PermissionsM1024
Consider using Group Policy to configure and block modifications to service and other critical server parameters in the Registry.(Citation: Microsoft System Services Fundamentals)
Disable or Remove Feature or ProgramM1042
Consider disabling software components from servers when possible to prevent abuse by adversaries.(Citation: ITSyndicate Disabling PHP functions)
Boot IntegrityM1046
Enabling secure boot allows validation of software and drivers during initial system boot.
User Account ManagementM1018
Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify and/or add server software components.(Citation: NSA and ASD Detect and Prevent Web Shells 2020)
Privileged Account ManagementM1026
Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
Related CWE Weaknesses
References
- Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.
- US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.
Frequently Asked Questions
What is T1505 (Server Software Component)?
T1505 is a MITRE ATT&CK technique named 'Server Software Component'. It belongs to the Persistence tactic(s). Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to writ...
How can T1505 be detected?
Detection of T1505 (Server Software Component) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1505?
There are 7 documented mitigations for T1505. Key mitigations include: Code Signing, Audit, Restrict Registry Permissions, Disable or Remove Feature or Program, Boot Integrity.
Which threat groups use T1505?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.