T1505.004 Google Chronicle · YARA-L

Detect IIS Components in Google Chronicle

Adversaries install malicious ISAPI extensions, ISAPI filters, or IIS modules on Internet Information Services (IIS) web servers to establish persistent access. These components are DLLs loaded by the IIS worker process (w3wp.exe) and have unrestricted access to all HTTP requests and responses. RGDoor (OilRig) and OwaAuth (Threat Group-3390) used this technique. IceApple is an IIS post-exploitation framework with 18 modules. Unlike web shells, IIS components are invisible to directory listing and harder to detect.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.004 IIS Components
Canonical reference
https://attack.mitre.org/techniques/T1505/004/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule malicious_iis_components_t1505_004 {
  meta:
    author = "df00tech"
    description = "Detects malicious IIS component installation via ISAPI filter/extension or IIS module DLL registration, unauthorized DLL writes to IIS directories, or w3wp.exe loading DLLs from non-standard paths. Covers RGDoor, OwaAuth, and IceApple TTPs."
    mitre_attack_technique = "T1505.004"
    mitre_attack_tactic = "Persistence"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Signal 1: Registry write to IIS configuration paths with DLL value
    (
      $reg.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($reg.target.registry.registry_key, `(?i)(W3SVC|ISAPI.Filter|ISAPI.Extension|GlobalModules|system32\\inetsrv)`)
      )
      and (
        $reg.target.registry.registry_value_name = /(?i)(FilterDLLs|ImagePath|Path|Filename|DLL)/
      )
      and (
        $reg.target.registry.registry_value_data = /(?i)\.dll/
      )
    )
    or
    // Signal 2: DLL file created in IIS directory by non-installer process
    (
      $file.metadata.event_type = "FILE_CREATION"
      and re.regex($file.target.file.full_path, `(?i)(\\system32\\inetsrv|\\inetpub|\\inetsrv)`)
      and re.regex($file.target.file.full_path, `(?i)\.dll$`)
      and not re.regex($file.principal.process.file.full_path, `(?i)(msiexec|setup|pkgmgr|TiWorker|TrustedInstaller|wusa|dism)\.exe`)
    )
    or
    // Signal 3: w3wp.exe loading DLL from non-standard writable path
    (
      $lib.metadata.event_type = "PROCESS_MODULE_LOAD"
      and $lib.principal.process.file.full_path = /(?i)w3wp\.exe/
      and re.regex($lib.target.file.full_path, `(?i)(\\Users\\|\\Temp\\|\\ProgramData\\|\\AppData\\|\\Windows\\Temp\\)`)
      and $lib.target.file.full_path = /(?i)\.dll$/
    )

  condition:
    $reg or $file or $lib
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting malicious IIS component persistence through three independent UDM signals: registry modification of IIS configuration keys with DLL paths, file creation of DLLs in IIS-managed directories by non-standard processes, and process module load events where w3wp.exe loads DLLs from user-writable non-standard locations. Aligns with behaviors of OilRig's RGDoor, TG-3390's OwaAuth, and the IceApple IIS post-exploitation framework.

Data Sources

Windows Event Logs (via Chronicle forwarder)Sysmon for Windows (via Chronicle forwarder)Microsoft Defender for Endpoint telemetry ingested into Chronicle

Required Tables

UDM REGISTRY_MODIFICATION eventsUDM FILE_CREATION eventsUDM PROCESS_MODULE_LOAD events

False Positives & Tuning

  • Web server management platforms such as Plesk or cPanel that perform automated IIS configuration changes including ISAPI filter registration as part of virtual host provisioning
  • Continuous deployment pipelines using tools like Octopus Deploy or Azure DevOps release agents that copy application DLLs to inetpub directories and register IIS modules — these agents may not match standard installer process names
  • IIS Crypto or SSL configuration tools that modify W3SVC registry entries and may drop associated DLL components during certificate binding or cipher suite configuration
Download portable Sigma rule (.yml)

Other platforms for T1505.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List IIS Global Modules (Detection Audit)

    Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Get-WebGlobalModule'. No system changes made.

  2. Test 2Write Test DLL to IIS Directory

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\Windows\System32\inetsrv\df00tech-test.dll, Image=powershell.exe.

  3. Test 3Check applicationHost.config for Module Registrations

    Expected signal: Sysmon EventCode 11: Read access to applicationHost.config (if configured for read monitoring). Sysmon EventCode 1: powershell.exe process.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1505.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.002Transport AgentT1505.003Web ShellT1505.005Terminal Services DLLT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1505.003Web ShellT1505.002Transport AgentT1190Exploit Public-Facing ApplicationT1070.006Timestomp

Same Tactic: Persistence

Popular Detections