Server Software Component T1505
Tactic: Persistence
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.
Events covered
22 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 144 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (101 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (1572 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (341 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 56 rules
- Antivirus Web Shell Detection
- Chopper Webshell Process Pattern
- Cisco Modify Configuration
- Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- DEWMODE Webshell Access
- ETW Logging/Processing Option Disabled On IIS Server
- Exchange transport agent injection via configuration file
- Exchange transport agent installation artifacts (native)
- Exchange transport agent installation artifacts (PowerShell)
- Execution From Webserver Root Folder
- Failed MSExchange Transport Agent Installation
- HTTP Logging Disabled On IIS Server
- IIS Native-Code Module Command Line Installation
- Linux Webshell Indicators
- MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
- MSExchange Transport Agent Installation
- New Module Module Added To IIS Server
- Oracle WebLogic Exploit
- Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
- Potential Java WebShell Upload in SAP NetViewer Server
- Potential SAP NetViewer Webshell Command Execution
- Potential Suspicious Activity Using SeCEdit
- Potential Webshell Creation On Static Website
- Previously Installed IIS Module Was Removed
- Rejetto HTTP File Server RCE
- Shellshock Expression
- Solarwinds SUPERNOVA Webshell Access
- SQL Server Dedicated Admin Connection (DAC) mode activated (native)
- SQL Server Dedicated Admin Connection (DAC) suspicious activity
- SQL Server lateral movement with CLR activation
- SQL server sqlcmd utility abuse for privilege escalation
- SQL Server started in single mode (command)
- SQL Server xp_cmdshell activation (native event)
- Suspicious ASPX File Drop by Exchange
- Suspicious Child Process Of SQL Server
- Suspicious File Drop by Exchange
- Suspicious File Write to SharePoint Layouts Directory
- Suspicious File Write to Webapps Root Directory
- Suspicious IIS Module Registration
- Suspicious MSExchangeMailboxReplication ASPX Write
- Suspicious Process By Web Server Process
- Suspicious Process Spawned by CentreStack Portal AppPool
- Suspicious SQL Query
- Suspicious Windows Strings In URI
- Webserver IIS configuration edited (SYSMON)
- Webserver IIS module installed (command)
- Webserver IIS module installed (command)
- Webserver IIS module installed (PowerShell)
- Webserver IIS module installed via GAC manipulation (PowerShell)
- Webshell Detection With Command Line Keywords
- Webshell Hacking Activity Patterns
- Webshell ReGeorg Detection Via Web Logs
- Webshell Remote Command Execution
- Webshell Tool Reconnaissance Activity
- Windows Webshell Strings
Elastic 30 rules
- AWS Bedrock Agent Created by IAM User or Root
- AWS Bedrock Agent or Action Group Manipulation
- AWS Bedrock Third-Party or External Knowledge Base Associated to Agent
- Deprecated - Microsoft Exchange Transport Agent Install Script
- Deprecated - Uncommon Destination Port Connection by Web Server
- Deprecated - Unusual Command Execution from Web Server Parent
- Deprecated - Unusual Process Spawned from Web Server Parent
- Execution via MSSQL xp_cmdshell Stored Procedure
- Initial Access via File Upload Followed by GET Request
- Microsoft Exchange Server UM Writing Suspicious Files
- Microsoft Exchange Worker Spawning Suspicious Processes
- Potential SAP NetWeaver Exploitation
- Potential SAP NetWeaver WebShell Creation
- Potential Web Shell ASPX File Creation
- Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation
- ScreenConnect Server Spawning Suspicious Processes
- Simple HTTP Web Server Connection
- Simple HTTP Web Server Creation
- Suspicious Child Execution via Web Server
- Suspicious Command Execution via Web Server
- Unsigned DLL loaded by DNS Service
- Unusual Child Execution via Web Server
- Unusual Command Execution via Web Server
- Unusual File Creation by Web Server
- Unusual Process For MSSQL Service Accounts
- Web Server Exploitation Detected via Defend for Containers
- Web Server Potential Command Injection Request
- Web Server Potential SQL Injection Request
- Web Shell Detection: Script Process Child of Common Web Processes
- Windows Server Update Service Spawning Suspicious Processes
Splunk 42 rules
- Cisco Configuration Archive Logging Analysis
- Cisco Secure Firewall - Privileged Command Execution via HTTP
- Confluence Unauthenticated Remote Code Execution CVE-2022-26134
- Detect Exchange Web Shell
- ESXi Malicious VIB Forced Install
- Exploit Public Facing Application via Apache Commons Text
- IIS Worker (W3WP) Spawn Command Line (Windows Event Log)
- Microsoft SQL Server Suspicious Child Process - Windows (Sysmon)
- Microsoft SQL Server Suspicious Child Process - Windows (Windows Event Log)
- MS Exchange Mailbox Replication service writing Active Server Pages
- Shell Spawned by Web Server - Windows (Windows Event Log)
- Spring4Shell Payload URL Request
- Supernova Webshell
- Tomcat Session Deserialization Attempt
- Tomcat Session File Upload Attempt
- Web JSP Request via URL
- Windows Disable Windows Event Logging Disable HTTP Logging
- Windows IIS Components Add New Module
- Windows IIS Components Get-WebGlobalModule Module Query
- Windows IIS Components Module Failed to Load
- Windows IIS Components New Module Added
- Windows Metasploit Confluence Plugin Execution
- Windows Potential Web Shell Creation For VMware Workspace ONE
- Windows PowerShell Add Module to Global Assembly Cache
- Windows PowerShell Disable HTTP Logging
- Windows PowerShell IIS Components WebGlobalModule Usage
- Windows Server Software Component GACUtil Install to GAC
- Windows SharePoint Spinstall0 GET Request
- Windows SharePoint Spinstall0 Webshell File Creation
- Windows SharePoint ToolPane Endpoint Exploitation Attempt
- Windows Shell or Script Execution From IIS Directory
- Windows Shell Process from CrushFTP
- Windows SQL Server Configuration Option Hunt
- Windows SQL Server Critical Procedures Enabled
- Windows SQL Server Extended Procedure DLL Loading Hunt
- Windows SQL Server Startup Procedure
- Windows SQL Server xp_cmdshell Config Change
- Windows Sqlservr Spawning Shell
- Windows Suspicious Child Process Spawned From WebServer
- Windows TeamCity Payload Execution from Temp Directory
- Windows TeamCity Plugin Installed
- Windows WSUS Spawning Shell
Kusto 11 rules
- Azure DevOps New Extension Added
- Cloudflare - Unexpected POST requests
- Cloudflare - Unexpected POST requests
- Corelight - Possible Webshell
- Corelight - Possible Webshell (Rare PUT or POST)
- Detect potential presence of a malicious file with a double extension (ASIM Web Session)
- Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts
- Pathlock TDnR - ABAP Source Code Changes
- Pathlock TDnR - ICF Web Service Changes
- SQL Server spawning suspicious child process
- SUPERNOVA webshell
YARA-L 4 rules
- Attempted SharePoint Webshell Creation CVE-2025-53770
- Potential Webshell Process Execution
- Successful SharePoint Webshell Creation CVE-2025-53770
- Suspicious Filewrites To Sharepoint Layouts