GitHub Repo

T1505.003

Date: 2025-10-28 ID: cc9b2609-efc9-11eb-926b-550bf0943fbb Author: Michael Haag Environment: attack_range Directory: T1505.003

Description

The following data was produced to emulate IIS, w3wp.exe, spawning shells, simulating web shell activity. In addition, behavior related to Microsoft Exchange Server's Unified Messaging services, umworkerprocess.exe and umservice.exe, spawning a child process. Behaviors are related to vulnerabilities exploited by HAFNIUM Group. The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

MITRE ATT&CK Techniques

ID Technique Tactic
T1505.003 Web Shell Persistence

Environment Details

Field Value
Environment attack_range
Directory T1505.003
Test Date 2025-10-28

Datasets

The following datasets were collected during this attack simulation:

Windows-Sysmon_proxylogon

  • Path: /datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log
  • Sourcetype: XmlWinEventLog
  • Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Windows-Sysmon_umservices

  • Path: /datasets/attack_techniques/T1505.003/windows-sysmon_umservices.log
  • Sourcetype: XmlWinEventLog
  • Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Windows-Sysmon

  • Path: /datasets/attack_techniques/T1505.003/windows-sysmon.log
  • Sourcetype: XmlWinEventLog
  • Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Moveit_windows-Sysmon

  • Path: /datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log
  • Sourcetype: XmlWinEventLog
  • Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Wsus-Windows-Sysmon

  • Path: /datasets/attack_techniques/T1505.003/wsus-windows-sysmon.log
  • Sourcetype: XmlWinEventLog
  • Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Wsus-Sa-Windows-Sysmon

  • Path: /datasets/attack_techniques/T1505.003/wsus-sa-windows-sysmon.log
  • Sourcetype: XmlWinEventLog
  • Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Wsus-Iis

  • Path: /datasets/attack_techniques/T1505.003/wsus-iis.log
  • Sourcetype: iis
  • Source: iis

Wsus-Suricata

  • Path: /datasets/attack_techniques/T1505.003/wsus-suricata.log
  • Sourcetype: suricata
  • Source: suricata

Wsus-7053-Windows-Application

  • Path: /datasets/attack_techniques/T1505.003/wsus-7053-windows-application.log
  • Sourcetype: XmlWinEventLog
  • Source: XmlWinEventLog:Application

No specific detections currently use this attack data for testing. However, you can find related detections and analytics in our security content repository.

Usage Instructions

Replay with Splunk Attack Data

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log --index attack_data

Manual Import

  1. Download the dataset files from the paths listed above
  2. Configure your Splunk instance with the appropriate sourcetypes
  3. Import the logs using the Splunk Add Data wizard

Related Content

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0