EXPLORE
← Back to Explore
T1505

Server Software Component

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)

WindowsLinuxmacOSNetwork DevicesESXi
31
Detections
4
Sources
0
Threat Actors

BY SOURCE

27elastic2splunk_escu1kql1sigma

PROCEDURES (24)

Inject2 detections

Auto-extracted: 2 detections for inject

Service2 detections

Auto-extracted: 2 detections for service

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Http2 detections

Auto-extracted: 2 detections for http

Inject2 detections

Auto-extracted: 2 detections for inject

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Remote1 detections

Auto-extracted: 1 detections for remote

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

Http1 detections

Auto-extracted: 1 detections for http

Service1 detections

Auto-extracted: 1 detections for service

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

Child Process1 detections

Auto-extracted: 1 detections for child process

Remote1 detections

Auto-extracted: 1 detections for remote

Child Process1 detections

Auto-extracted: 1 detections for child process

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Aws1 detections

Auto-extracted: 1 detections for aws

Aws1 detections

Auto-extracted: 1 detections for aws

Api1 detections

Auto-extracted: 1 detections for api

Parent Process1 detections

Auto-extracted: 1 detections for parent process

DETECTIONS (31)

AWS Bedrock Agent Created by IAM User or Root
elasticlow
AWS Bedrock Agent or Action Group Manipulation
elasticmedium
AWS Bedrock Third-Party or External Knowledge Base Associated to Agent
elasticmedium
Cisco Modify Configuration
sigmamedium
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
splunk_escu
Deprecated - Uncommon Destination Port Connection by Web Server
elasticlow
Deprecated - Unusual Command Execution from Web Server Parent
elasticlow
Deprecated - Unusual Process Spawned from Web Server Parent
elasticlow
Execution via MSSQL xp_cmdshell Stored Procedure
elasticmedium
Initial Access via File Upload Followed by GET Request
elasticmedium
Microsoft Exchange Server UM Writing Suspicious Files
elasticmedium
Microsoft Exchange Worker Spawning Suspicious Processes
elastichigh
Possible webshell on the endpoint
kql
Potential SAP NetWeaver Exploitation
elastichigh
Potential SAP NetWeaver WebShell Creation
elastichigh
Potential Web Shell ASPX File Creation
elasticmedium
Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation
elastichigh
ScreenConnect Server Spawning Suspicious Processes
elastichigh
Simple HTTP Web Server Connection
elasticlow
Simple HTTP Web Server Creation
elasticlow
Suspicious Child Execution via Web Server
elasticmedium
Suspicious Command Execution via Web Server
elasticmedium
Unsigned DLL loaded by DNS Service
elasticmedium
Unusual Child Execution via Web Server
elasticmedium
Unusual Command Execution via Web Server
elasticmedium
Web Server Exploitation Detected via Defend for Containers
elastichigh
Web Server Potential Command Injection Request
elasticlow
Web Server Potential SQL Injection Request
elastichigh
Web Shell Detection: Script Process Child of Common Web Processes
elastichigh
Windows Server Update Service Spawning Suspicious Processes
elastichigh
Windows Shell Process from CrushFTP
splunk_escu