Server Software Component T1505

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.

Events covered

11 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 66 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (34 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image23ends_with 20, eq 3, contains 1\cmd.exe, \w3wp.exe, \appcmd.exe, \bash.exe, \powershell.exe
CommandLine22contains 19, in 3, ends_with 1, match 1, starts_with 1-classpath , .payload, module, msexchange, -af
TargetFilename15ends_with 9, contains 7, in 3, starts_with 2, wildcard 1.ashx, .asp, .aspx, *\\httpproxy\\oab\\*, *\\httpproxy\\owa\\auth\\*
process_name14eq 11, match 2, in 1cmd.exe, powershell.exe, powershell_ise.exe, (?i)\x5c(bash|bitsadmin|cmd|net|netstat|nltest|mshta|ping..., appcmd.exe
EventID12eq 1215457, 4104, 4688, 1, 2282
ParentImage10ends_with 9, contains 4, eq 1, starts_with 1-tomcat-, \caddy.exe, \httpd.exe, \w3wp.exe, \services.exe
parent_process_name10eq 6, in 2, match 2(?i)sqlservr\.exe, w3wp.exe, ScreenConnect.Service.exe, WsusService.exe, cmd.exe
OriginalFileName8eq 6, in 2cmd.exe, powershell.exe, powershell_ise.exe, appcmd.exe, csc.exe
ScriptBlockText6contains 4, in 2.dll, *dontlog*, *enable-webglobalmodule*, *false*, *get-webconfigurationproperty*
Channel5eq 5, in 5
event.type5eq 5start, creation
eventtype5eq 5
file_name5ends_with 2, eq 2, in 1*.ashx, *.aspx, .aspx, .zip, original_file_name_set
Configuration4contains 2, ends_with 1, eq 1/system.webServer/httpLogging/@dontLog, /system.webserver/modules/add, /system.webserver/modules/remove, @logTargetW3C
Details3eq 2, contains 1AnonymousAuthenticationModule, CustomErrorModule, DefaultDocumentModule, etw, true

Top indicator values (456 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
ParentImageends_with
\w3wp.exe
712
ParentImageends_with
\caddy.exe
44
ParentImageends_with
\httpd.exe
46
ParentImageends_with
\java.exe
48
ParentImageends_with
\javaw.exe
47
ParentImageends_with
\nginx.exe
46
ParentImageends_with
\php-cgi.exe
46
ParentImageends_with
\ws_tomcatservice.exe
46
process_nameeq
cmd.exe
675
process_nameeq
powershell.exe
699
process_nameeq
powershell_ise.exe
650
process_nameeq
pwsh.exe
660
Imageends_with
\cmd.exe
5134
Imageends_with
\powershell.exe
5186
Imageends_with
\w3wp.exe
56
Imageends_with
\pwsh.exe
4172
ParentImagecontains
-tomcat-
44
ParentImagecontains
\tomcat
46
TargetFilenameends_with
.asp
44
TargetFilenameends_with
.aspx
45
event.typeeq
start
4241
CommandLinecontains
catalina.jar
33
CommandLinecontains
catalina_home
33
EventIDeq
15457
33
EventIDeq
4104
3268
EventIDeq
4688
3312
OriginalFileNameeq
cmd.exe
365
OriginalFileNameeq
powershell.exe
3121
OriginalFileNameeq
powershell_ise.exe
351
OriginalFileNameeq
pwsh.dll
3112

Exclusions (63 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
parent_process_namein
iissetup.exe
2
parent_process_namein
msiexec.exe
2
CommandLinecontains
admanager plus
1
CommandLinecontains
sc query
1
CommandLineends_with
Windows\system32\cmd.exe /c C:\ManageEngine\ADManager...
1
CommandLinestarts_with
"C:\Windows\system32\cmd.exe"
1
CommandLinestarts_with
/c echo
1
Detailscontains
etw
1
Detailseq
AnonymousAuthenticationModule
1
Detailseq
CustomErrorModule
1
Detailseq
DefaultDocumentModule
1
Detailseq
DirectoryListingModule
1
Detailseq
FileCacheModule
1
Detailseq
HttpCacheModule
1
Detailseq
HttpLoggingModule
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 33 rules

Elastic 5 rules

Splunk 27 rules

Kusto 1 rule