Detect Server Software Component in IBM QRadar
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications include features that allow developers to write and install software or scripts to extend the main application's functionality. Adversaries exploit this by installing malicious server software components such as web shells (ASP/ASPX/PHP/JSP files granting remote command execution), SQL stored procedures (particularly xp_cmdshell for OS command execution), IIS native modules or ISAPI filters, Microsoft Exchange transport agents, terminal services DLLs, and vSphere Installation Bundles (VIBs). These components persist across reboots, blend into legitimate server traffic, and provide direct OS-level access under the context of the server process account — making them difficult to detect without proper process lineage monitoring and web root integrity controls.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Canonical reference
- https://attack.mitre.org/techniques/T1505/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
CATEGORYNAME(category) AS category_name,
QIDNAME(qid) AS event_name,
username,
sourceip,
hostname,
"ParentImage",
"CommandLine",
"Image",
"TargetFilename",
"TargetObject",
"Details",
CASE
WHEN LOWER("Image") LIKE '%cmd.exe' OR LOWER("Image") LIKE '%powershell.exe'
OR LOWER("Image") LIKE '%pwsh.exe' OR LOWER("Image") LIKE '%wscript.exe'
OR LOWER("Image") LIKE '%cscript.exe' OR LOWER("Image") LIKE '%mshta.exe' THEN 'Critical'
WHEN "EventCode" IN ('1') THEN 'High'
WHEN "EventCode" IN ('11','13') THEN 'High'
ELSE 'Medium'
END AS severity_rating,
CASE
WHEN "EventCode" = '1' THEN 'WebShell_ChildProcess'
WHEN "EventCode" = '11' THEN 'SuspiciousWebFile_Written'
WHEN "EventCode" = '13' THEN 'IIS_Module_Registered'
ELSE 'Unknown'
END AS detection_type
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
AND starttime > NOW() - 86400 SECONDS
AND (
-- Signal 1: Web server spawning suspicious child processes
(
"EventCode" = '1'
AND (
LOWER("ParentImage") LIKE '%w3wp.exe' OR LOWER("ParentImage") LIKE '%httpd.exe'
OR LOWER("ParentImage") LIKE '%nginx.exe' OR LOWER("ParentImage") LIKE '%tomcat%'
OR LOWER("ParentImage") LIKE '%java.exe' OR LOWER("ParentImage") LIKE '%php-cgi.exe'
OR LOWER("ParentImage") LIKE '%perl.exe' OR LOWER("ParentImage") LIKE '%python.exe'
OR LOWER("ParentImage") LIKE '%ruby.exe' OR LOWER("ParentImage") LIKE '%node.exe'
)
AND (
LOWER("Image") LIKE '%cmd.exe' OR LOWER("Image") LIKE '%powershell.exe'
OR LOWER("Image") LIKE '%pwsh.exe' OR LOWER("Image") LIKE '%wscript.exe'
OR LOWER("Image") LIKE '%cscript.exe' OR LOWER("Image") LIKE '%mshta.exe'
OR LOWER("Image") LIKE '%rundll32.exe' OR LOWER("Image") LIKE '%regsvr32.exe'
OR LOWER("Image") LIKE '%certutil.exe' OR LOWER("Image") LIKE '%net.exe'
OR LOWER("Image") LIKE '%net1.exe' OR LOWER("Image") LIKE '%whoami.exe'
OR LOWER("Image") LIKE '%systeminfo.exe' OR LOWER("Image") LIKE '%nltest.exe'
OR LOWER("Image") LIKE '%curl.exe' OR LOWER("Image") LIKE '%wget.exe'
)
)
OR
-- Signal 2: Web shell file written to web root
(
"EventCode" = '11'
AND (
LOWER("TargetFilename") LIKE '%\\inetpub\\%' OR LOWER("TargetFilename") LIKE '%\\wwwroot\\%'
OR LOWER("TargetFilename") LIKE '%\\htdocs\\%' OR LOWER("TargetFilename") LIKE '%\\webapps\\%'
OR LOWER("TargetFilename") LIKE '%\\public_html\\%' OR LOWER("TargetFilename") LIKE '%/var/www/%'
)
AND (
LOWER("TargetFilename") LIKE '%.aspx' OR LOWER("TargetFilename") LIKE '%.asp'
OR LOWER("TargetFilename") LIKE '%.php' OR LOWER("TargetFilename") LIKE '%.jsp'
OR LOWER("TargetFilename") LIKE '%.jspx' OR LOWER("TargetFilename") LIKE '%.cfm'
OR LOWER("TargetFilename") LIKE '%.ashx' OR LOWER("TargetFilename") LIKE '%.asmx'
OR LOWER("TargetFilename") LIKE '%.phtml'
)
AND LOWER("Image") NOT LIKE '%msiexec.exe'
AND LOWER("Image") NOT LIKE '%setup.exe'
AND LOWER("Image") NOT LIKE '%devenv.exe'
AND LOWER("Image") NOT LIKE '%code.exe'
AND LOWER("Image") NOT LIKE '%explorer.exe'
AND LOWER("Image") NOT LIKE '%robocopy.exe'
)
OR
-- Signal 3: IIS module registered via registry
(
"EventCode" = '13'
AND (
LOWER("TargetObject") LIKE '%\\currentcontrolset\\services\\w3svc%'
OR LOWER("TargetObject") LIKE '%\\software\\microsoft\\inetstp%'
OR LOWER("TargetObject") LIKE '%\\currentcontrolset\\services\\was%'
)
AND LOWER("Details") LIKE '%.dll'
AND LOWER("Image") NOT LIKE '%msiexec.exe'
AND LOWER("Image") NOT LIKE '%trustedinstaller.exe'
AND LOWER("Image") NOT LIKE '%wusa.exe'
)
)
ORDER BY starttime DESCAQL query for IBM QRadar detecting T1505 server software component abuse from Sysmon event logs. Covers web shell child process execution (EventCode 1), suspicious web file creation in web roots (EventCode 11), and unauthorized IIS module DLL registration via registry (EventCode 13). Includes severity classification and detection type labeling.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate web application frameworks (Spring Boot, ASP.NET Core) that spawn Java or .NET runtime processes during startup or health checks, which may trigger the parent-child process signal
- Automated deployment tools writing .php or .aspx files to web directories from build agents — exclude by deployer process names (jenkins.exe, octopus.exe, deploy.exe) in the Image field filter
- IIS module registration from trusted Microsoft Windows Update components using wusa.exe or update packages with custom binary names not in the exclusion list — review TargetObject and Details fields for context
Other platforms for T1505
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Deploy ASPX Web Shell to IIS Default Web Root
Expected signal: Sysmon Event ID 11: File creation of argus_test_shell.aspx in C:\inetpub\wwwroot\ with Image=powershell.exe. Sysmon Event ID 1: Process Create with ParentImage=w3wp.exe, Image=cmd.exe, CommandLine='/c whoami' when the HTTP request is processed. IIS access log entry: GET request to /argus_test_shell.aspx?cmd=whoami from 127.0.0.1 with status 200. Security Event ID 4688 (if command line auditing enabled) showing cmd.exe with ParentProcessName=w3wp.exe.
- Test 2SQL Server xp_cmdshell OS Command Execution via Stored Procedure
Expected signal: Sysmon Event ID 1: Process Create with ParentImage=sqlservr.exe, Image=cmd.exe, CommandLine='/c whoami /all' and a second instance for 'ipconfig /all'. Security Event ID 4688 (if command line auditing): cmd.exe process creation with parent sqlservr.exe. SQL Server Audit (if enabled): sp_configure modification events and xp_cmdshell execution in the SQL audit log at the configured audit destination. Windows Application Event Log: SQL Server events indicating configuration changes.
- Test 3IIS Native Module Registration via AppCmd
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject containing HKLM\SYSTEM\CurrentControlSet\Services\W3SVC or IIS applicationHost.config path, with Details containing the version.dll path. Sysmon Event ID 1: Process Create for %SystemRoot%\System32\inetsrv\appcmd.exe with CommandLine 'install module /name:ArgusTestModule /image:...'. File Modification: %SystemRoot%\System32\inetsrv\config\applicationHost.config updated to include the new module entry. IIS Event Log: module registration event in Microsoft-Windows-IIS-W3SVC-WP/Operational.
- Test 4PHP Web Shell Deployment on Linux Apache/Nginx
Expected signal: Linux auditd: open/creat syscall creating /var/www/html/argus_test.php. Process creation event: apache2 or php-fpm worker spawning /bin/sh with argument '-c id' (via shell_exec). Apache access log: GET /argus_test.php?cmd=id from 127.0.0.1 with HTTP 200 response. Syslog: process creation by www-data or apache user. If using EDR with Linux support: process creation event with parent=apache2|php-fpm and child=/bin/sh.
- Test 5Simulate Exchange Transport Agent Installation
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Install-TransportAgent'. Windows Registry: modification to HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeTransport with new agent entry. Exchange Application Event Log: transport agent registration events in the MSExchangeTransport source. Sysmon Event ID 11: if the DLL is written to disk first. PowerShell ScriptBlock Logging Event ID 4104: full Install-TransportAgent command with assembly path.
References (9)
- https://attack.mitre.org/techniques/T1505/
- https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/
- https://www.us-cert.gov/ncas/alerts/TA15-314A
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/web
- https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://www.mandiant.com/resources/blog/web-shells-in-the-wild
- https://www.microsoft.com/en-us/security/blog/2021/07/02/microsoft-investigates-iranian-actor-phosphorus-group/
Unlock Pro Content
Get the full detection package for T1505 including response playbook, investigation guide, and atomic red team tests.