T1505.004 IIS Components Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1505.004 — Malicious IIS Components detection
// ISAPI filters/extensions registered in IIS configuration and loaded by w3wp.exe
// Part 1: Detect DLL registration in IIS configuration registry paths
let IISComponentReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    "W3SVC",
    "ISAPI Filter",
    "ISAPI Extension",
    "GlobalModules",
    "IIS\\FastCGI",
    "system32\\inetsrv"
  )
| where RegistryValueName has_any ("FilterDLLs", "Path", "ImagePath", "DLL", "Filename")
| where RegistryValueData has ".dll"
| extend DetectionType = "IIS_Component_Registration"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect DLL writes to IIS directories from unexpected processes
let IISDirWrite = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any ("\\system32\\inetsrv\\", "\\iis\\",
                            "\\inetsrv\\", "\\inetpub\\")
| where FileName endswith ".dll"
| where InitiatingProcessFileName !in~ ("msiexec.exe", "setup.exe", "pkgmgr.exe",
                                         "TiWorker.exe", "TrustedInstaller.exe",
                                         "wusa.exe", "dism.exe")
| extend DetectionType = "IIS_DLL_Write"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect unusual DLL loads by w3wp.exe from non-standard paths
let IISUnexpectedLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "w3wp.exe"
| where FolderPath has_any ("\\Users\\", "\\Temp\\", "\\ProgramData\\",
                            "\\AppData\\", "\\Windows\\Temp\\")
| where FileName endswith ".dll"
| extend DetectionType = "IIS_Non_Standard_DLL_Load"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, DetectionType;
union IISComponentReg, IISDirWrite, IISUnexpectedLoad
| sort by Timestamp desc

critical severity high confidence

Data Sources

Windows Registry: Registry Value Modification File: File Creation Module: Module Load Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceFileEvents DeviceImageLoadEvents

False Positives

Legitimate IIS module installations for anti-virus scanning, WAF, or URL rewriting (URL Rewrite Module, Application Request Routing)
Windows Updates applying patches to IIS components via TrustedInstaller/wusa
Third-party web application security products installing ISAPI filters for request inspection
Web application framework installations (ASP.NET, PHP for Windows, etc.) registering their respective ISAPI extensions

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
    EventCode=13 AND
      match(TargetObject, "(?i)(W3SVC|ISAPI.Filter|ISAPI.Extension|GlobalModules|inetsrv)") AND
      match(Details, "(?i)\.dll"),
      "IIS_Component_Registration",
    EventCode=11 AND
      match(TargetFilename, "(?i)(\\\\system32\\\\inetsrv|\\\\inetpub|\\\\inetsrv)") AND
      match(TargetFilename, "(?i)\.dll$") AND
      NOT match(Image, "(?i)(msiexec|setup|pkgmgr|TiWorker|TrustedInstaller|wusa|dism)\.exe"),
      "IIS_Dir_DLL_Write",
    EventCode=7 AND
      match(Image, "(?i)w3wp\.exe") AND
      match(ImageLoaded, "(?i)(\\\\Users|\\\\Temp|\\\\ProgramData|\\\\AppData|\\\\Windows\\\\Temp)") AND
      match(ImageLoaded, "(?i)\.dll$"),
      "IIS_Non_Standard_Module_Load",
    true(), null()
  )
| where isnotnull(detection_type)
| table _time, host, User, detection_type, Image, CommandLine, TargetFilename, TargetObject, Details, ImageLoaded
| sort - _time

critical severity high confidence

Data Sources

Windows Registry: Registry Value Modification File: File Creation Module: Module Load Sysmon Event ID 7, 11, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate IIS extensions (URL Rewrite, ARR, WebDAV) installed via Windows Server Roles
Web application frameworks registering ISAPI extensions during installation
Security product installations adding ISAPI filters for request inspection

Elastic Security (EQL)

eql

sequence by host.name with maxspan=1h
  [registry where event.type in ("creation", "change")
    and registry.path : ("*W3SVC*", "*ISAPI Filter*", "*ISAPI Extension*", "*GlobalModules*", "*inetsrv*")
    and registry.value : ("FilterDLLs", "Path", "ImagePath", "DLL", "Filename")
    and registry.data.strings : "*.dll*"]
  [file where event.type in ("creation", "change")
    and file.extension : "dll"
    and file.path : ("*\\system32\\inetsrv\\*", "*\\iis\\*", "*\\inetsrv\\*", "*\\inetpub\\*")
    and not process.name : ("msiexec.exe", "setup.exe", "pkgmgr.exe", "TiWorker.exe", "TrustedInstaller.exe", "wusa.exe", "dism.exe")]
or
any where event.category == "library"
  and process.name : "w3wp.exe"
  and dll.path : ("*\\Users\\*", "*\\Temp\\*", "*\\ProgramData\\*", "*\\AppData\\*", "*\\Windows\\Temp\\*")
  and dll.name : "*.dll"

high severity high confidence

Data Sources

Windows Registry Events (Sysmon EventID 12/13/14) Windows File Events (Sysmon EventID 11) Windows Image Load Events (Sysmon EventID 7) Elastic Endpoint Security agent

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-windows.sysmon_operational-*

False Positives

Legitimate IIS module installation via Microsoft Web Platform Installer or IIS Manager — will produce registry writes and DLL drops in inetsrv with msiexec.exe or similar as the initiating process (whitelisted in query)
Third-party web application frameworks (ORDS, ASP.NET modules, URL Rewrite) that install native DLL modules into inetsrv during normal deployment pipelines
Security products such as Imperva WAF, F5 iRules, or Dynatrace OneAgent that legitimately install as ISAPI filters or IIS native modules and load from non-default paths

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip" AS host_ip,
  QIDNAME(qid) AS event_name,
  "EventID",
  CASE
    WHEN "EventID" = '13' AND ("TargetObject" ILIKE '%W3SVC%' OR "TargetObject" ILIKE '%ISAPI Filter%' OR "TargetObject" ILIKE '%ISAPI Extension%' OR "TargetObject" ILIKE '%GlobalModules%' OR "TargetObject" ILIKE '%inetsrv%') AND "Details" ILIKE '%.dll%'
      THEN 'IIS_Component_Registration'
    WHEN "EventID" = '11' AND ("TargetFilename" ILIKE '%\\system32\\inetsrv%' OR "TargetFilename" ILIKE '%\\inetpub%' OR "TargetFilename" ILIKE '%\\inetsrv%') AND "TargetFilename" ILIKE '%.dll' AND NOT ("Image" ILIKE '%msiexec.exe%' OR "Image" ILIKE '%setup.exe%' OR "Image" ILIKE '%pkgmgr.exe%' OR "Image" ILIKE '%TiWorker.exe%' OR "Image" ILIKE '%TrustedInstaller.exe%' OR "Image" ILIKE '%wusa.exe%' OR "Image" ILIKE '%dism.exe%')
      THEN 'IIS_Dir_DLL_Write'
    WHEN "EventID" = '7' AND "Image" ILIKE '%w3wp.exe%' AND ("ImageLoaded" ILIKE '%\\Users\\%' OR "ImageLoaded" ILIKE '%\\Temp\\%' OR "ImageLoaded" ILIKE '%\\ProgramData\\%' OR "ImageLoaded" ILIKE '%\\AppData\\%' OR "ImageLoaded" ILIKE '%\\Windows\\Temp\\%') AND "ImageLoaded" ILIKE '%.dll'
      THEN 'IIS_Non_Standard_Module_Load'
    ELSE NULL
  END AS detection_type,
  "Image" AS initiating_process,
  "CommandLine",
  "TargetObject" AS registry_key,
  "Details" AS registry_value,
  "TargetFilename" AS file_path,
  "ImageLoaded" AS loaded_dll
FROM events
WHERE logsourcetypeid = 1011
  AND "EventID" IN ('7', '11', '13')
  AND CASE
    WHEN "EventID" = '13' AND ("TargetObject" ILIKE '%W3SVC%' OR "TargetObject" ILIKE '%ISAPI Filter%' OR "TargetObject" ILIKE '%ISAPI Extension%' OR "TargetObject" ILIKE '%GlobalModules%' OR "TargetObject" ILIKE '%inetsrv%') AND "Details" ILIKE '%.dll%' THEN 1
    WHEN "EventID" = '11' AND ("TargetFilename" ILIKE '%\\system32\\inetsrv%' OR "TargetFilename" ILIKE '%\\inetpub%' OR "TargetFilename" ILIKE '%\\inetsrv%') AND "TargetFilename" ILIKE '%.dll' AND NOT ("Image" ILIKE '%msiexec.exe%' OR "Image" ILIKE '%setup.exe%' OR "Image" ILIKE '%pkgmgr.exe%' OR "Image" ILIKE '%TiWorker.exe%' OR "Image" ILIKE '%TrustedInstaller.exe%') THEN 1
    WHEN "EventID" = '7' AND "Image" ILIKE '%w3wp.exe%' AND ("ImageLoaded" ILIKE '%\\Users\\%' OR "ImageLoaded" ILIKE '%\\Temp\\%' OR "ImageLoaded" ILIKE '%\\ProgramData\\%' OR "ImageLoaded" ILIKE '%\\AppData\\%') AND "ImageLoaded" ILIKE '%.dll' THEN 1
    ELSE 0
  END = 1
  AND LOGSOURCETIME(starttime) > DATEADD('hour', -24, NOW())
ORDER BY starttime DESC

high severity high confidence

Data Sources

Microsoft Windows Sysmon (QRadar DSM) Windows Security Event Log

Required Tables

events

False Positives

Legitimate software deployment tools writing IIS modules during scheduled maintenance windows — coordinate with change management to suppress known-good deployment processes
Web Application Firewall agents or APM monitoring tools (New Relic, AppDynamics) that register as ISAPI filters and may load from non-standard installation directories
Development environments where developers have write access to IIS directories and load test DLLs from their user profile folders during active development

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon
| where EventID in ("7", "11", "13")
| eval detection_type = ""
// Part 1: IIS Component Registry Registration (Sysmon EventID 13 - RegistryEvent Value Set)
| where (EventID = "13"
    AND (TargetObject matches /(?i)(W3SVC|ISAPI.Filter|ISAPI.Extension|GlobalModules|inetsrv)/)
    AND (Details matches /(?i)\.dll/)
  ) OR
  // Part 2: DLL Written to IIS Directory by Non-Installer Process (Sysmon EventID 11 - FileCreate)
  (EventID = "11"
    AND (TargetFilename matches /(?i)(\\system32\\inetsrv|\\inetpub|\\inetsrv)/)
    AND (TargetFilename matches /(?i)\.dll$/)
    AND NOT (Image matches /(?i)(msiexec|setup|pkgmgr|TiWorker|TrustedInstaller|wusa|dism)\.exe/)
  ) OR
  // Part 3: w3wp.exe Loading DLL from Non-Standard Path (Sysmon EventID 7 - ImageLoad)
  (EventID = "7"
    AND (Image matches /(?i)w3wp\.exe/)
    AND (ImageLoaded matches /(?i)(\\Users\\|\\Temp\\|\\ProgramData\\|\\AppData\\|\\Windows\\Temp\\)/)
    AND (ImageLoaded matches /(?i)\.dll$/)
  )
| eval detection_type = if(EventID = "13"
    AND TargetObject matches /(?i)(W3SVC|ISAPI.Filter|ISAPI.Extension|GlobalModules|inetsrv)/
    AND Details matches /(?i)\.dll/,
    "IIS_Component_Registration",
  if(EventID = "11"
    AND TargetFilename matches /(?i)(\\system32\\inetsrv|\\inetpub|\\inetsrv)/
    AND TargetFilename matches /(?i)\.dll$/,
    "IIS_Dir_DLL_Write",
  if(EventID = "7"
    AND Image matches /(?i)w3wp\.exe/
    AND ImageLoaded matches /(?i)(\\Users\\|\\Temp\\)/,
    "IIS_Non_Standard_Module_Load",
    "Unknown"
  )))
| where detection_type != "Unknown"
| fields _messageTime, host, User, detection_type, Image, CommandLine, TargetFilename, TargetObject, Details, ImageLoaded
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon Operational Log (via Sumo Logic Windows collector) Sumo Logic Cloud SIEM Enterprise normalized Windows events

Required Tables

_sourceCategory=windows/sysmon

False Positives

Legitimate third-party IIS modules installed via vendor MSI packages during patch cycles — the installer process (msiexec.exe) is excluded, but custom wrapper scripts calling robocopy or xcopy to deploy DLLs would trigger the file write detection
IIS URL Rewrite Module or ARR (Application Request Routing) installations that write native DLLs to inetsrv and register in GlobalModules during initial setup
Security scanning tools or vulnerability assessment agents that load inspection DLLs into the w3wp.exe process space as part of DAST testing on IIS-hosted applications

Google Chronicle / SecOps

yaral

rule malicious_iis_components_t1505_004 {
  meta:
    author = "df00tech"
    description = "Detects malicious IIS component installation via ISAPI filter/extension or IIS module DLL registration, unauthorized DLL writes to IIS directories, or w3wp.exe loading DLLs from non-standard paths. Covers RGDoor, OwaAuth, and IceApple TTPs."
    mitre_attack_technique = "T1505.004"
    mitre_attack_tactic = "Persistence"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Signal 1: Registry write to IIS configuration paths with DLL value
    (
      $reg.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($reg.target.registry.registry_key, `(?i)(W3SVC|ISAPI.Filter|ISAPI.Extension|GlobalModules|system32\\inetsrv)`)
      )
      and (
        $reg.target.registry.registry_value_name = /(?i)(FilterDLLs|ImagePath|Path|Filename|DLL)/
      )
      and (
        $reg.target.registry.registry_value_data = /(?i)\.dll/
      )
    )
    or
    // Signal 2: DLL file created in IIS directory by non-installer process
    (
      $file.metadata.event_type = "FILE_CREATION"
      and re.regex($file.target.file.full_path, `(?i)(\\system32\\inetsrv|\\inetpub|\\inetsrv)`)
      and re.regex($file.target.file.full_path, `(?i)\.dll$`)
      and not re.regex($file.principal.process.file.full_path, `(?i)(msiexec|setup|pkgmgr|TiWorker|TrustedInstaller|wusa|dism)\.exe`)
    )
    or
    // Signal 3: w3wp.exe loading DLL from non-standard writable path
    (
      $lib.metadata.event_type = "PROCESS_MODULE_LOAD"
      and $lib.principal.process.file.full_path = /(?i)w3wp\.exe/
      and re.regex($lib.target.file.full_path, `(?i)(\\Users\\|\\Temp\\|\\ProgramData\\|\\AppData\\|\\Windows\\Temp\\)`)
      and $lib.target.file.full_path = /(?i)\.dll$/
    )

  condition:
    $reg or $file or $lib
}

high severity high confidence

Data Sources

Windows Event Logs (via Chronicle forwarder) Sysmon for Windows (via Chronicle forwarder) Microsoft Defender for Endpoint telemetry ingested into Chronicle

Required Tables

UDM REGISTRY_MODIFICATION events UDM FILE_CREATION events UDM PROCESS_MODULE_LOAD events

False Positives

Web server management platforms such as Plesk or cPanel that perform automated IIS configuration changes including ISAPI filter registration as part of virtual host provisioning
Continuous deployment pipelines using tools like Octopus Deploy or Azure DevOps release agents that copy application DLLs to inetpub directories and register IIS modules — these agents may not match standard installer process names
IIS Crypto or SSL configuration tools that modify W3SVC registry entries and may drop associated DLL components during certificate binding or cipher suite configuration

CrowdStrike LogScale (CQL)

cql

// T1505.004 — Malicious IIS Components: CrowdStrike LogScale (CQL)
// Signal 1: Registry writes to IIS configuration keys containing DLL paths
#event_simpleName=RegValueUpdate
| TargetObjectName = /(?i)(W3SVC|ISAPI.Filter|ISAPI.Extension|GlobalModules|system32\\inetsrv)/
| ValueName = /(?i)(FilterDLLs|Path|ImagePath|DLL|Filename)/
| StringValue = /(?i)\.dll/
| eval detection_type="IIS_Component_Registration"
| table([@timestamp, ComputerName, UserName, detection_type, TargetObjectName, ValueName, StringValue, ProcessImageFileName, CommandLine])

union

// Signal 2: DLL written to IIS directories by non-standard installer process
#event_simpleName=FileWritten
| TargetFilename = /(?i)(\\system32\\inetsrv|\\inetpub|\\inetsrv)/
| TargetFilename = /(?i)\.dll$/
| not ProcessImageFileName = /(?i)(msiexec|setup|pkgmgr|TiWorker|TrustedInstaller|wusa|dism)\.exe/
| eval detection_type="IIS_Dir_DLL_Write"
| table([@timestamp, ComputerName, UserName, detection_type, TargetFilename, ProcessImageFileName, CommandLine])

union

// Signal 3: w3wp.exe loading DLL from non-standard user-writable path
#event_simpleName=ClassifiedModuleLoad
| ImageFileName = /(?i)w3wp\.exe/
| ModuleObjectName = /(?i)(\\Users\\|\\Temp\\|\\ProgramData\\|\\AppData\\|\\Windows\\Temp\\)/
| ModuleObjectName = /(?i)\.dll$/
| eval detection_type="IIS_Non_Standard_Module_Load"
| table([@timestamp, ComputerName, UserName, detection_type, ModuleObjectName, ImageFileName, CommandLine])

| sort(@timestamp, order=desc, limit=1000)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (EDR telemetry) Falcon sensor registry monitoring Falcon sensor file system monitoring Falcon sensor DLL load tracking

Required Tables

RegValueUpdate FileWritten ClassifiedModuleLoad

False Positives

Falcon sensor itself or other CrowdStrike components that perform IIS integration for threat prevention and may register as ISAPI filters or load modules via w3wp.exe
Enterprise monitoring solutions such as Dynatrace OneAgent or Datadog APM that inject DLLs into IIS worker processes (w3wp.exe) from their installation paths under ProgramFiles — these may load from ProgramData subdirectories and trigger the module load signal
Custom in-house developed IIS modules deployed by DevOps teams via non-standard deployment scripts (PowerShell, batch) that copy DLLs directly without using msiexec or standard Windows installers

IIS Components

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections