server应用组件

攻击者可能滥用服务器应用程序的合法可扩展开发功能来建立对系统的持久访问。企业服务器应用程序可能包含允许应用程序开发人员编写和安装软件以扩展主应用程序功能的功能。攻击者可能会安装恶意软件组件，以恶意扩展和滥用服务器应用程序。

Server Software Component

Adversaries may abuse legitimate extensible development features of server applications to establish persistent access to systems. Enterprise server applications may include features that allow application developers to write and install software to extend the functionality of the main application. Adversaries may install malicious software components to maliciously extend and abuse server applications.

传输代理

Microsoft Exchange传输代理可以对通过传输管道传递的电子邮件进行操作，以执行各种任务，例如过滤垃圾邮件，过滤恶意附件，日记或在所有外发电子邮件的末尾添加公司签名。[1] [2]传输代理可以由应用程序开发人员编写，然后编译为.NET程序集，然后向Exchange服务器注册。运输代理将在电子邮件处理的指定阶段被调用，并执行开发人员定义的任务。

对手可能注册了恶意的传输代理，以在Exchange Server中提供一种持久性机制，该机制可以由对手指定的电子邮件事件触发。[2]尽管可以为通过Exchange传输管道的所有电子邮件调用恶意的传输代理，但可以将代理配置为仅执行特定任务以响应对手定义的标准。例如，如果收件人电子邮件地址与对手提供的列表中的条目匹配，则运输代理仅可以执行类似复制运输中的附件并将其保存以供以后过滤的操作。

Transport Agent

Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.[1][2] Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.

Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.[2] Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.

SQL存储过程

SQL存储过程是可以保存和重用的代码，因此数据库用户不会浪费时间重写频繁使用的SQL查询。可以使用过程名称通过SQL语句或数据库中定义的事件（例如，当SQL Server应用程序启动/重新启动时）通过SQL语句调用存储过程。攻击者可能设计出可以在SQL数据库服务器中提供持久性机制的恶意存储过程。要通过SQL语法执行操作系统命令，对手可能必须启用其他功能，例如xp_cmdshellMSSQL Server。

Microsoft SQL Server可以启用公共语言运行时（CLR）集成。启用CLR集成后，应用程序开发人员可以使用任何.NET Framework语言（例如VB .NET，C＃等）编写存储过程。[6]对手可以制作或修改链接到存储过程的CLR程序集，可以使这些CLR程序集执行任意命令。

SQL Stored Procedures

SQL stored procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted). Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.[3][4] To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.

Microsoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).Adversaries may craft or modify CLR assemblies that are linked to stored procedures, these CLR assemblies can be made to execute arbitrary commands.

标签

ID编号： T1505

策略： 持久性

平台： Windows，Linux

所需权限： 管理员，SYSTEM，root

数据源： 文件监视，应用程序日志

程序示例

名称	描述
LightNeuron(S0395)	LightNeuron (S0395) 使用恶意的Microsoft Exchange传输代理进行持久化。

Name	Description
LightNeuron(S0395)	LightNeuron (S0395) uses a malicious Microsoft Exchange transport agent for persistence.[2]

缓解措施

缓解	描述
审计 (M1047)	定期检查关键服务上的组件，攻击者可能会针对这些组件提供持久性以验证系统的完整性，并确定是否进行了意外更改。
代码签名 (M1045)	确保所有应用程序组件二进制文件均由正确的应用程序开发人员签名。
特权账户管理 (M1026)	不允许将有权在这些服务上添加组件软件的管理员帐户用于日常操作，这些操作可能会使它们暴露于非特权系统上的潜在对手。

Mitigation	Description
Audit (M1047)	Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.
Code Signing (M1045)	Ensure all application component binaries are signed by the correct application developers.
Privileged Account Management(M1026)	Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

检测

考虑监视应用程序日志中的异常行为，这些异常行为可能指示可疑应用程序软件组件的安装。考虑监视与新应用程序软件组件的安装相关的文件位置，例如应用程序通常从中加载此类可扩展组件的路径。在MSSQL Server上，请考虑监视xp_cmdshell使用情况。

Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components. On MSSQL Server, consider monitoring for xp_cmdshell usage