EXPLORE
Sign In
← Back to Explore
T1505

Server Software Component

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)

WindowsLinuxmacOSNetwork DevicesESXi
25
Detections
4
Sources
0
Threat Actors

BY SOURCE

21elastic2splunk_escu1kql1sigma

PROCEDURES (19)

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Parent Process3 detections

Auto-extracted: 3 detections for parent process

Service2 detections

Auto-extracted: 2 detections for service

Http2 detections

Auto-extracted: 2 detections for http

Remote1 detections

Auto-extracted: 1 detections for remote

Service1 detections

Auto-extracted: 1 detections for service

Privilege1 detections

Auto-extracted: 1 detections for privilege

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Unusual1 detections

Auto-extracted: 1 detections for unusual

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Remote1 detections

Auto-extracted: 1 detections for remote

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

Http1 detections

Auto-extracted: 1 detections for http

DETECTIONS (25)

Cisco Modify Configuration
sigmamedium
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
splunk_escu
Execution via MSSQL xp_cmdshell Stored Procedure
elasticmedium
Initial Access via File Upload Followed by GET Request
elasticmedium
Microsoft Exchange Server UM Writing Suspicious Files
elasticmedium
Microsoft Exchange Worker Spawning Suspicious Processes
elastichigh
Possible webshell on the endpoint
kql
Potential SAP NetWeaver Exploitation
elastichigh
Potential SAP NetWeaver WebShell Creation
elastichigh
Potential Web Shell ASPX File Creation
elasticmedium
Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation
elastichigh
ScreenConnect Server Spawning Suspicious Processes
elastichigh
Simple HTTP Web Server Connection
elasticlow
Simple HTTP Web Server Creation
elasticlow
Suspicious Child Execution via Web Server
elasticmedium
Uncommon Destination Port Connection by Web Server
elasticlow
Unsigned DLL loaded by DNS Service
elasticmedium
Unusual Command Execution from Web Server Parent
elasticlow
Unusual Process Spawned from Web Server Parent
elasticlow
Unusual Web Server Command Execution
elasticmedium
Web Server Exploitation Detected via Defend for Containers
elastichigh
Web Server Potential Command Injection Request
elasticlow
Web Shell Detection: Script Process Child of Common Web Processes
elastichigh
Windows Server Update Service Spawning Suspicious Processes
elastichigh
Windows Shell Process from CrushFTP
splunk_escu