Server Software Component T1505
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.
Events covered
11 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Sysmon | Event ID 11 | FileCreate |
| Security-Auditing | Event ID 4688 | A new process has been created. |
| Defender-DeviceProcessEvents | ProcessCreated | Process created |
| MSSQLSERVER | Event ID 8128 | Event ID 8128 |
| MSSQLSERVER | Event ID 15457 | Event ID 15457 |
| IIS-Configuration | Event ID 29 | Changes to 'Configuration' at 'ConfigPath' have successfully been committed. |
| IIS-W3SVC-WP | Event ID 2282 | The Module DLL '%1' could not be loaded due to a configuration problem |
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
| PowerShell | Event ID 800 | Event ID 800 |
Authoring guide
Patterns shared across the 66 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (34 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (456 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (63 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 33 rules
- Chopper Webshell Process Pattern
- Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
- ETW Logging/Processing Option Disabled On IIS Server
- Exchange transport agent injection via configuration file
- Exchange transport agent installation artifacts (PowerShell)
- Execution From Webserver Root Folder
- HTTP Logging Disabled On IIS Server
- IIS Native-Code Module Command Line Installation
- MSExchange Transport Agent Installation
- New Module Module Added To IIS Server
- Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
- Potential Suspicious Activity Using SeCEdit
- Potential Webshell Creation On Static Website
- Previously Installed IIS Module Was Removed
- SQL server sqlcmd utility abuse for privilege escalation
- SQL Server started in single mode (command)
- Suspicious ASPX File Drop by Exchange
- Suspicious Child Process Of SQL Server
- Suspicious File Drop by Exchange
- Suspicious File Write to SharePoint Layouts Directory
- Suspicious File Write to Webapps Root Directory
- Suspicious IIS Module Registration
- Suspicious MSExchangeMailboxReplication ASPX Write
- Suspicious Process By Web Server Process
- Suspicious Process Spawned by CentreStack Portal AppPool
- Webserver IIS configuration edited (SYSMON)
- Webserver IIS module installed (command)
- Webserver IIS module installed (command)
- Webserver IIS module installed (PowerShell)
- Webserver IIS module installed via GAC manipulation (PowerShell)
- Webshell Detection With Command Line Keywords
- Webshell Hacking Activity Patterns
- Webshell Tool Reconnaissance Activity
Elastic 5 rules
- Microsoft Exchange Server UM Writing Suspicious Files
- Microsoft Exchange Worker Spawning Suspicious Processes
- ScreenConnect Server Spawning Suspicious Processes
- Unusual Process For MSSQL Service Accounts
- Windows Server Update Service Spawning Suspicious Processes
Splunk 27 rules
- Detect Exchange Web Shell
- IIS Worker (W3WP) Spawn Command Line (Windows Event Log)
- Microsoft SQL Server Suspicious Child Process - Windows (Sysmon)
- Microsoft SQL Server Suspicious Child Process - Windows (Windows Event Log)
- MS Exchange Mailbox Replication service writing Active Server Pages
- Shell Spawned by Web Server - Windows (Windows Event Log)
- Windows Disable Windows Event Logging Disable HTTP Logging
- Windows IIS Components Add New Module
- Windows IIS Components Module Failed to Load
- Windows Metasploit Confluence Plugin Execution
- Windows Potential Web Shell Creation For VMware Workspace ONE
- Windows PowerShell Add Module to Global Assembly Cache
- Windows PowerShell Disable HTTP Logging
- Windows PowerShell IIS Components WebGlobalModule Usage
- Windows Server Software Component GACUtil Install to GAC
- Windows SharePoint Spinstall0 Webshell File Creation
- Windows Shell or Script Execution From IIS Directory
- Windows Shell Process from CrushFTP
- Windows SQL Server Configuration Option Hunt
- Windows SQL Server Critical Procedures Enabled
- Windows SQL Server Extended Procedure DLL Loading Hunt
- Windows SQL Server xp_cmdshell Config Change
- Windows Sqlservr Spawning Shell
- Windows Suspicious Child Process Spawned From WebServer
- Windows TeamCity Payload Execution from Temp Directory
- Windows TeamCity Plugin Installed
- Windows WSUS Spawning Shell