# T1505 Server Software Component

-----------------------------------------------------------------------

## Technique Description

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.

## Technique Detection

Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.

Process monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) 

-----------------------------------------------------------------------

### Tactics:

  *   Persistence

### Platforms:

  * Windows

  * Linux

  * macOS

### Adversary Required Permissions:

  * Administrator

  * SYSTEM

  * root

### Data Sources:

  * **Application Log:** Application Log Content

  * **Network Traffic:** Network Traffic Flow

  * **File:** File Modification

  * **Network Traffic:** Network Traffic Content

  * **File:** File Creation

  * **Process:** Process Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1505)

  * [Us-Cert Alert Ta15-314A Web Shells](https://www.us-cert.gov/ncas/alerts/TA15-314A), US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will abuse legitimate extensible development features of servers to establish persistent access to systems.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Turla |  | |
| Dragonfly |  | |

## Detection Blindspots

- Information Here

## Analytical References

  * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md
* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md
* https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
* https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help
* https://www.elastic.co/guide/en/security/master/execution-via-mssql-xp_cmdshell-stored-procedure.html
* https://www.red-gate.com/hub/product-learning/sql-monitor/picking-over-the-bones-of-a-sql-injection-attack
* https://rioasmara.com/2020/01/31/mssql-rce-and-reverse-shell-xp_cmdshell/

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Adversaries may abuse Microsoft transport agents to establish persistent access to systems.

(Microsoft Exchange SnapIn must be installed

(i.e. Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn))'

  * **Source:** 'Windows Audits'

  * **Tool:** 'Kibana'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```event.code : 4104 AND message contains Install-TransportAgent OR Enable-TransportAgent OR Get-TransportAgent```

#### Analytic 2

  * **Information:** 'Adversaries may backdoor web servers with web shells to establish persistent access to systems.'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```process.command_line contains FilePath like C:\inetpub\wwwroot```

#### Analytic 3

  * **Information:** 'Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it is important to review the context of its use.'

  * **Source:** 'Windows Audits'

  * **Tool:** 'Kibana'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```event.category:process and event.type:(start or process_started) and process.name:cmd.exe and process.parent.name:sqlservr.exe```

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------


