title: Server Software Component (T1505)
id: df00tech-t1505
status: experimental
description: "Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications include features that allow developers to write and install software or scripts to extend the main application's functionality. Adversaries exploit this by installing malicious server software components such as web shells (ASP/ASPX/PHP/JSP files granting remote command execution), SQL stored procedures (particularly xp_cmdshell for OS command execution), IIS native modules or ISAPI filters, Microsoft Exchange transport agents, terminal services DLLs, and vSphere Installation Bundles (VIBs). These components persist across reboots, blend into legitimate server traffic, and provide direct OS-level access under the context of the server process account — making them difficult to detect without proper process lineage monitoring and web root integrity controls."
references:
  - https://attack.mitre.org/techniques/T1505/
  - https://df00tech.com/detections/T1505
author: df00tech
date: 2026/04/20
tags:
  - attack.t1505
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Java application servers (Tomcat, JBoss, WebLogic) spawning java.exe child processes for legitimate scheduled tasks, diagnostics, or maintenance operations initiated through management interfaces"
  - CI/CD pipeline agents deployed on web servers that legitimately invoke cmd.exe or PowerShell during automated build and deployment workflows — typically identifiable by consistent command line patterns and timing aligned with deployment schedules
  - "Content management systems (WordPress, Drupal, Joomla) executing PHP scripts that invoke system utilities for image processing, PDF generation, or file archiving via exec() or shell_exec()"
  - "Web-based server administration panels (WHM/cPanel, Plesk, Webmin, DirectAdmin) that by design execute OS commands via web server worker processes as part of their core functionality"
  - "IIS application pool identity accounts running legitimate PowerShell deployment scripts triggered by authorized web-based deployment tools (Octopus Deploy, Azure DevOps release pipelines)"
  - "Developer workstations with IIS Express installed locally where IDEs (Visual Studio, VS Code) write files to web root directories during normal development and compilation workflows"
level: critical