Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0547: Detection Strategy for T1505 - Server Software Component

DET0547 is a MITRE detection strategy object for detecting ATT&CK technique T1505, Server Software Component. The practical issue is persistence: if an att...

EnterpriseDET0547Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0547 is a MITRE detection strategy object for detecting ATT&CK technique T1505, Server Software Component. The practical issue is persistence: if an attacker can add or abuse a server extension, plugin, script, or component, access may survive reboots, credential changes, and routine response actions. For leaders, this matters because core server platforms often support business-critical applications, and weak visibility into their extensibility mechanisms can leave a persistence path outside normal endpoint-only monitoring.

Executive priority

Prioritize this as a resilience and assurance question: do security, infrastructure, and application owners know which server software components are authorized, monitored, and change-controlled across Windows, Linux, macOS, and network-device environments? Because the ATT&CK object provides no official detection logic, executives should not treat DET0547 as a ready-made rule. Instead, use it to drive control validation, audit evidence for approved server extensions, and incident response readiness for persistence in enterprise server applications.

Technical view

The supplied detection strategy has no official description or detection text, but it detects T1505, a persistence technique involving abuse of legitimate extensible server features. SOC and detection engineering teams should validate visibility into server application component installation, modification, loading, and execution behavior, especially where server applications permit extensions or scripts. IR teams should ensure playbooks include review of authorized versus unexpected server components during persistence scoping across the related platforms: Windows, Linux, macOS, and network devices.

Likely telemetry

  • Server application logs showing component, plugin, extension, module, or script installation and loading events
  • File system monitoring for changes in server application component directories and configuration paths
  • Process execution telemetry for server processes spawning or loading unusual child processes or scripts
  • Configuration and change-management records for approved server extensions or application customizations
  • Endpoint or host audit logs from Windows, Linux, and macOS servers where applicable

Detection direction

  • Start by mapping which enterprise server applications support extensible components, then define expected component inventories and approved change paths.
  • Tune detections around unauthorized or unexpected additions, modifications, or loads of server software components rather than relying only on generic malware signatures.
  • Correlate server application logs, file integrity events, process telemetry, and change-management tickets to reduce false positives from legitimate development, patching, or administrative activity.
  • Validate coverage separately for Windows, Linux, macOS, and network devices because the related technique spans all four and telemetry depth will differ by platform.
  • During investigations, treat newly installed or recently modified server components as persistence candidates, but confirm with local evidence before escalating severity.

Mitigation priorities

  • Establish an authoritative inventory of server applications and their supported extension mechanisms.
  • Require change control and ownership for server components, plugins, modules, scripts, and application customizations.
  • Restrict administrative access to install or modify server software components using least privilege and role separation.
  • Enable centralized logging and retention for server application, host, and network-device configuration events relevant to component changes.
  • Use file integrity monitoring or equivalent configuration assurance for critical server component locations.
Analyst notes and limits

This Glexia take is based on the DET0547 STIX object and its relationship to T1505 Server Software Component. The object itself does not include official detection text, tactics, platforms, labels, or aliases; practical guidance is therefore derived conservatively from the related technique description, tactics, and platforms supplied in the relationship context.

The source data does not provide a concrete analytic, query, data source list, or vendor-specific detection method. Local server inventory, application architecture, logging configuration, and change-management evidence are required to determine actual detection coverage and risk.

Official MITRE ATT&CK definition

Detection Strategy for T1505 - Server Software Component

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1505 Server Software Component This object detects Server Software Component.
Relationship explorer

All related ATT&CK context

detects · Technique T1505: Server Software Component Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
823c8dd247de1f25...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 823c8dd247de…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0547
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use