T1505 Microsoft Sentinel · KQL

Detect Server Software Component in Microsoft Sentinel

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications include features that allow developers to write and install software or scripts to extend the main application's functionality. Adversaries exploit this by installing malicious server software components such as web shells (ASP/ASPX/PHP/JSP files granting remote command execution), SQL stored procedures (particularly xp_cmdshell for OS command execution), IIS native modules or ISAPI filters, Microsoft Exchange transport agents, terminal services DLLs, and vSphere Installation Bundles (VIBs). These components persist across reboots, blend into legitimate server traffic, and provide direct OS-level access under the context of the server process account — making them difficult to detect without proper process lineage monitoring and web root integrity controls.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Canonical reference
https://attack.mitre.org/techniques/T1505/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let WebServerProcesses = dynamic(["w3wp.exe","httpd.exe","nginx.exe","tomcat9.exe","tomcat.exe","java.exe","php-cgi.exe","perl.exe","python.exe","ruby.exe","node.exe","gunicorn","uvicorn"]);
let SuspiciousChildren = dynamic(["cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe","certutil.exe","bitsadmin.exe","net.exe","net1.exe","whoami.exe","hostname.exe","ipconfig.exe","systeminfo.exe","nltest.exe","arp.exe","curl.exe","wget.exe","ping.exe","tracert.exe","nslookup.exe","sc.exe"]);
let WebRootPaths = dynamic(["\\inetpub\\","\\wwwroot\\","\\htdocs\\","\\webapps\\","\\public_html\\","\\web\\content\\","/var/www/","/srv/www/","/usr/share/nginx/"]);
let WebShellExtensions = dynamic([".aspx",".asp",".php",".jsp",".jspx",".cfm",".shtml",".ashx",".asmx",".phtml"]);
// Signal 1: Web server process spawning command interpreters or OS recon tools (primary web shell execution indicator)
let WebShellExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (WebServerProcesses)
| where FileName has_any (SuspiciousChildren)
| extend DetectionType = "WebShell_ChildProcess"
| extend RiskLevel = case(
    FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe"), "Critical",
    FileName in~ ("rundll32.exe","regsvr32.exe","certutil.exe","bitsadmin.exe"), "High",
    "Medium"
  )
| project Timestamp, DeviceName, AccountName, DetectedFileName=FileName, ProcessCommandLine,
         ParentProcess=InitiatingProcessFileName, ParentCommandLine=InitiatingProcessCommandLine,
         FolderPath, DetectionType, RiskLevel;
// Signal 2: Suspicious script files written to web-accessible directories by non-deployment processes
let WebFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("FileCreated","FileModified")
| where FolderPath has_any (WebRootPaths)
| where FileName has_any (WebShellExtensions)
| where InitiatingProcessFileName !in~ ("msiexec.exe","setup.exe","install.exe","devenv.exe","code.exe","explorer.exe","robocopy.exe","xcopy.exe","w3wp.exe")
| extend DetectionType = "SuspiciousWebFile_Written"
| extend RiskLevel = "High"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         DetectedFileName=FileName, ProcessCommandLine=InitiatingProcessCommandLine,
         ParentProcess=InitiatingProcessFileName, ParentCommandLine=InitiatingProcessCommandLine,
         FolderPath, DetectionType, RiskLevel;
// Signal 3: Unauthorized IIS native module or ISAPI filter DLL registration via registry
let IISModuleRegistration = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("RegistryValueSet","RegistryKeyCreated")
| where RegistryKey has "SYSTEM\\CurrentControlSet\\Services\\W3SVC"
    or RegistryKey has "SOFTWARE\\Microsoft\\InetStp"
    or RegistryKey has "SYSTEM\\CurrentControlSet\\Services\\WAS"
| where RegistryValueData has ".dll"
| where InitiatingProcessFileName !in~ ("msiexec.exe","TrustedInstaller.exe","wusa.exe")
| extend DetectionType = "IIS_Module_Registered"
| extend RiskLevel = "High"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         DetectedFileName=InitiatingProcessFileName, ProcessCommandLine=InitiatingProcessCommandLine,
         ParentProcess=InitiatingProcessParentFileName, ParentCommandLine=InitiatingProcessCommandLine,
         FolderPath=RegistryKey, DetectionType, RiskLevel;
// Combine all signals
union WebShellExecution, WebFileCreation, IISModuleRegistration
| sort by Timestamp desc
critical severity high confidence

Multi-signal detection covering T1505 parent technique and its primary sub-techniques. Signal 1 identifies web shell execution by detecting web server processes (w3wp.exe, httpd, nginx, tomcat, java, python, node) spawning command interpreters or OS reconnaissance tools — the most reliable runtime indicator of active web shell use. Signal 2 catches web shell deployment by flagging script files (.aspx, .php, .jsp, etc.) written to web-accessible directories by non-installer processes. Signal 3 detects IIS Component abuse (T1505.004) by monitoring unauthorized DLL registration in W3SVC and InetStp registry keys. Together these signals provide layered coverage across the pre-execution (file drop), execution (child process), and persistence (module registration) phases of server software component attacks.

Data Sources

Process: Process CreationFile: File CreationWindows Registry: Windows Registry Key ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceFileEventsDeviceRegistryEvents

False Positives & Tuning

  • Java application servers (Tomcat, JBoss, WebLogic) spawning java.exe child processes for legitimate scheduled tasks, diagnostics, or maintenance operations initiated through management interfaces
  • CI/CD pipeline agents deployed on web servers that legitimately invoke cmd.exe or PowerShell during automated build and deployment workflows — typically identifiable by consistent command line patterns and timing aligned with deployment schedules
  • Content management systems (WordPress, Drupal, Joomla) executing PHP scripts that invoke system utilities for image processing, PDF generation, or file archiving via exec() or shell_exec()
  • Web-based server administration panels (WHM/cPanel, Plesk, Webmin, DirectAdmin) that by design execute OS commands via web server worker processes as part of their core functionality
  • IIS application pool identity accounts running legitimate PowerShell deployment scripts triggered by authorized web-based deployment tools (Octopus Deploy, Azure DevOps release pipelines)
  • Developer workstations with IIS Express installed locally where IDEs (Visual Studio, VS Code) write files to web root directories during normal development and compilation workflows
Download portable Sigma rule (.yml)

Other platforms for T1505

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Deploy ASPX Web Shell to IIS Default Web Root

    Expected signal: Sysmon Event ID 11: File creation of argus_test_shell.aspx in C:\inetpub\wwwroot\ with Image=powershell.exe. Sysmon Event ID 1: Process Create with ParentImage=w3wp.exe, Image=cmd.exe, CommandLine='/c whoami' when the HTTP request is processed. IIS access log entry: GET request to /argus_test_shell.aspx?cmd=whoami from 127.0.0.1 with status 200. Security Event ID 4688 (if command line auditing enabled) showing cmd.exe with ParentProcessName=w3wp.exe.

  2. Test 2SQL Server xp_cmdshell OS Command Execution via Stored Procedure

    Expected signal: Sysmon Event ID 1: Process Create with ParentImage=sqlservr.exe, Image=cmd.exe, CommandLine='/c whoami /all' and a second instance for 'ipconfig /all'. Security Event ID 4688 (if command line auditing): cmd.exe process creation with parent sqlservr.exe. SQL Server Audit (if enabled): sp_configure modification events and xp_cmdshell execution in the SQL audit log at the configured audit destination. Windows Application Event Log: SQL Server events indicating configuration changes.

  3. Test 3IIS Native Module Registration via AppCmd

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject containing HKLM\SYSTEM\CurrentControlSet\Services\W3SVC or IIS applicationHost.config path, with Details containing the version.dll path. Sysmon Event ID 1: Process Create for %SystemRoot%\System32\inetsrv\appcmd.exe with CommandLine 'install module /name:ArgusTestModule /image:...'. File Modification: %SystemRoot%\System32\inetsrv\config\applicationHost.config updated to include the new module entry. IIS Event Log: module registration event in Microsoft-Windows-IIS-W3SVC-WP/Operational.

  4. Test 4PHP Web Shell Deployment on Linux Apache/Nginx

    Expected signal: Linux auditd: open/creat syscall creating /var/www/html/argus_test.php. Process creation event: apache2 or php-fpm worker spawning /bin/sh with argument '-c id' (via shell_exec). Apache access log: GET /argus_test.php?cmd=id from 127.0.0.1 with HTTP 200 response. Syslog: process creation by www-data or apache user. If using EDR with Linux support: process creation event with parent=apache2|php-fpm and child=/bin/sh.

  5. Test 5Simulate Exchange Transport Agent Installation

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Install-TransportAgent'. Windows Registry: modification to HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeTransport with new agent entry. Exchange Application Event Log: transport agent registration events in the MSExchangeTransport source. Sysmon Event ID 11: if the DLL is written to disk first. PowerShell ScriptBlock Logging Event ID 4104: full Install-TransportAgent command with assembly path.

Last updated: 2026-04-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1505 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (6)

Related Techniques

T1505.001SQL Stored ProceduresT1505.002Transport AgentT1505.003Web ShellT1505.004IIS ComponentsT1505.005Terminal Services DLLT1505.006vSphere Installation BundlesT1190Exploit Public-Facing ApplicationT1059.001PowerShellT1059.003Windows Command ShellT1078Valid AccountsT1071.001Web ProtocolsT1560Archive Collected Data

Same Tactic: Persistence

Popular Detections