EXPLORE
Sign In
← Back to Explore
T1505

Server Software Component

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)

WindowsLinuxmacOSNetwork DevicesESXi
24
Detections
3
Sources
0
Threat Actors

BY SOURCE

21elastic2splunk_escu1sigma

PROCEDURES (18)

Parent Process3 detections

Auto-extracted: 3 detections for parent process

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Service2 detections

Auto-extracted: 2 detections for service

Http2 detections

Auto-extracted: 2 detections for http

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

Persist1 detections

Auto-extracted: 1 detections for persist

Unusual1 detections

Auto-extracted: 1 detections for unusual

Privilege1 detections

Auto-extracted: 1 detections for privilege

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Remote1 detections

Auto-extracted: 1 detections for remote

Persist1 detections

Auto-extracted: 1 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

Remote1 detections

Auto-extracted: 1 detections for remote

Privilege1 detections

Auto-extracted: 1 detections for privilege

Http1 detections

Auto-extracted: 1 detections for http

DETECTIONS (24)

Cisco Modify Configuration
sigmamedium
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
splunk_escu
Execution via MSSQL xp_cmdshell Stored Procedure
elasticmedium
Initial Access via File Upload Followed by GET Request
elasticmedium
Microsoft Exchange Server UM Writing Suspicious Files
elasticmedium
Microsoft Exchange Worker Spawning Suspicious Processes
elastichigh
Potential SAP NetWeaver Exploitation
elastichigh
Potential SAP NetWeaver WebShell Creation
elastichigh
Potential Web Shell ASPX File Creation
elasticmedium
Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation
elastichigh
ScreenConnect Server Spawning Suspicious Processes
elastichigh
Simple HTTP Web Server Connection
elasticlow
Simple HTTP Web Server Creation
elasticlow
Suspicious Child Execution via Web Server
elasticmedium
Uncommon Destination Port Connection by Web Server
elasticlow
Unsigned DLL loaded by DNS Service
elasticmedium
Unusual Command Execution from Web Server Parent
elasticlow
Unusual Process Spawned from Web Server Parent
elasticlow
Unusual Web Server Command Execution
elasticmedium
Web Server Exploitation Detected via Defend for Containers
elastichigh
Web Server Potential Command Injection Request
elasticlow
Web Shell Detection: Script Process Child of Common Web Processes
elastichigh
Windows Server Update Service Spawning Suspicious Processes
elastichigh
Windows Shell Process from CrushFTP
splunk_escu