Detect IIS Components in Elastic Security
Adversaries install malicious ISAPI extensions, ISAPI filters, or IIS modules on Internet Information Services (IIS) web servers to establish persistent access. These components are DLLs loaded by the IIS worker process (w3wp.exe) and have unrestricted access to all HTTP requests and responses. RGDoor (OilRig) and OwaAuth (Threat Group-3390) used this technique. IceApple is an IIS post-exploitation framework with 18 modules. Unlike web shells, IIS components are invisible to directory listing and harder to detect.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.004 IIS Components
- Canonical reference
- https://attack.mitre.org/techniques/T1505/004/
Elastic Detection Query
sequence by host.name with maxspan=1h
[registry where event.type in ("creation", "change")
and registry.path : ("*W3SVC*", "*ISAPI Filter*", "*ISAPI Extension*", "*GlobalModules*", "*inetsrv*")
and registry.value : ("FilterDLLs", "Path", "ImagePath", "DLL", "Filename")
and registry.data.strings : "*.dll*"]
[file where event.type in ("creation", "change")
and file.extension : "dll"
and file.path : ("*\\system32\\inetsrv\\*", "*\\iis\\*", "*\\inetsrv\\*", "*\\inetpub\\*")
and not process.name : ("msiexec.exe", "setup.exe", "pkgmgr.exe", "TiWorker.exe", "TrustedInstaller.exe", "wusa.exe", "dism.exe")]
or
any where event.category == "library"
and process.name : "w3wp.exe"
and dll.path : ("*\\Users\\*", "*\\Temp\\*", "*\\ProgramData\\*", "*\\AppData\\*", "*\\Windows\\Temp\\*")
and dll.name : "*.dll"Detects malicious IIS component installation via three correlated signals: (1) ISAPI filter/extension or IIS module DLL paths written to IIS-related registry keys, (2) DLL files dropped into IIS directories by non-installer processes, and (3) w3wp.exe loading DLLs from non-standard user-writable locations. Covers techniques used by RGDoor (OilRig), OwaAuth (TG-3390), and the IceApple post-exploitation framework.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IIS module installation via Microsoft Web Platform Installer or IIS Manager — will produce registry writes and DLL drops in inetsrv with msiexec.exe or similar as the initiating process (whitelisted in query)
- Third-party web application frameworks (ORDS, ASP.NET modules, URL Rewrite) that install native DLL modules into inetsrv during normal deployment pipelines
- Security products such as Imperva WAF, F5 iRules, or Dynatrace OneAgent that legitimately install as ISAPI filters or IIS native modules and load from non-default paths
Other platforms for T1505.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List IIS Global Modules (Detection Audit)
Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Get-WebGlobalModule'. No system changes made.
- Test 2Write Test DLL to IIS Directory
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\Windows\System32\inetsrv\df00tech-test.dll, Image=powershell.exe.
- Test 3Check applicationHost.config for Module Registrations
Expected signal: Sysmon EventCode 11: Read access to applicationHost.config (if configured for read monitoring). Sysmon EventCode 1: powershell.exe process.
References (5)
- https://attack.mitre.org/techniques/T1505/004/
- https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/
- https://www.crowdstrike.com/blog/iceapple-a-novel-internet-information-services-post-exploitation-framework/
- https://docs.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
Unlock Pro Content
Get the full detection package for T1505.004 including response playbook, investigation guide, and atomic red team tests.