T1505: Server Software Component
| View on MITRE ATT&CK | T1505 |
|---|---|
| Tactic(s) | Persistence |
Data from MITRE ATT&CK®:
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Flax Typhoon using legitimate software to quietly access Taiwanese organizations
This blog post by Microsoft Threat Intelligence outlines the Flax Typhoon intrusion set and TTPs demonstrated by the group. It describes the actor ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Code Signing
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Restrict Registry Permissions
Restrict the ability to modify certain hives or keys in the Windows Registry.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.How to detect this technique
MITRE ATT&CK Data Components
File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)Application Log Content (Application Log)
Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)Sigma Detections for this Technique
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.