- Tactics
- Persistence
- Platforms
- Windows, Linux, macOS, Network Devices, ESXi
- Reference
- attack.mitre.org/techniques/T1505
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)
Sub-techniques
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Persistence tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1037 — Boot or Logon Initialization Scripts
- T1053 — Scheduled Task/Job
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1112 — Modify Registry
- T1133 — External Remote Services
- T1136 — Create Account
- T1137 — Office Application Startup
- T1176 — Software Extensions
- T1197 — BITS Jobs
- T1205 — Traffic Signaling
- T1525 — Implant Internal Image