T1505.004 CrowdStrike LogScale · LogScale

Detect IIS Components in CrowdStrike LogScale

Adversaries install malicious ISAPI extensions, ISAPI filters, or IIS modules on Internet Information Services (IIS) web servers to establish persistent access. These components are DLLs loaded by the IIS worker process (w3wp.exe) and have unrestricted access to all HTTP requests and responses. RGDoor (OilRig) and OwaAuth (Threat Group-3390) used this technique. IceApple is an IIS post-exploitation framework with 18 modules. Unlike web shells, IIS components are invisible to directory listing and harder to detect.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.004 IIS Components
Canonical reference
https://attack.mitre.org/techniques/T1505/004/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1505.004 — Malicious IIS Components: CrowdStrike LogScale (CQL)
// Signal 1: Registry writes to IIS configuration keys containing DLL paths
#event_simpleName=RegValueUpdate
| TargetObjectName = /(?i)(W3SVC|ISAPI.Filter|ISAPI.Extension|GlobalModules|system32\\inetsrv)/
| ValueName = /(?i)(FilterDLLs|Path|ImagePath|DLL|Filename)/
| StringValue = /(?i)\.dll/
| eval detection_type="IIS_Component_Registration"
| table([@timestamp, ComputerName, UserName, detection_type, TargetObjectName, ValueName, StringValue, ProcessImageFileName, CommandLine])

union

// Signal 2: DLL written to IIS directories by non-standard installer process
#event_simpleName=FileWritten
| TargetFilename = /(?i)(\\system32\\inetsrv|\\inetpub|\\inetsrv)/
| TargetFilename = /(?i)\.dll$/
| not ProcessImageFileName = /(?i)(msiexec|setup|pkgmgr|TiWorker|TrustedInstaller|wusa|dism)\.exe/
| eval detection_type="IIS_Dir_DLL_Write"
| table([@timestamp, ComputerName, UserName, detection_type, TargetFilename, ProcessImageFileName, CommandLine])

union

// Signal 3: w3wp.exe loading DLL from non-standard user-writable path
#event_simpleName=ClassifiedModuleLoad
| ImageFileName = /(?i)w3wp\.exe/
| ModuleObjectName = /(?i)(\\Users\\|\\Temp\\|\\ProgramData\\|\\AppData\\|\\Windows\\Temp\\)/
| ModuleObjectName = /(?i)\.dll$/
| eval detection_type="IIS_Non_Standard_Module_Load"
| table([@timestamp, ComputerName, UserName, detection_type, ModuleObjectName, ImageFileName, CommandLine])

| sort(@timestamp, order=desc, limit=1000)
high severity high confidence

CrowdStrike LogScale (Humio) CQL query using Falcon sensor telemetry to detect malicious IIS component installation. Uses RegValueUpdate events for ISAPI registry path modification, FileWritten events for DLL drops in IIS directories from non-installer processes, and ClassifiedModuleLoad events to catch w3wp.exe loading DLLs from non-standard paths — a key indicator of IceApple framework and similar IIS-targeting implants.

Data Sources

CrowdStrike Falcon Endpoint Protection (EDR telemetry)Falcon sensor registry monitoringFalcon sensor file system monitoringFalcon sensor DLL load tracking

Required Tables

RegValueUpdateFileWrittenClassifiedModuleLoad

False Positives & Tuning

  • Falcon sensor itself or other CrowdStrike components that perform IIS integration for threat prevention and may register as ISAPI filters or load modules via w3wp.exe
  • Enterprise monitoring solutions such as Dynatrace OneAgent or Datadog APM that inject DLLs into IIS worker processes (w3wp.exe) from their installation paths under ProgramFiles — these may load from ProgramData subdirectories and trigger the module load signal
  • Custom in-house developed IIS modules deployed by DevOps teams via non-standard deployment scripts (PowerShell, batch) that copy DLLs directly without using msiexec or standard Windows installers
Download portable Sigma rule (.yml)

Other platforms for T1505.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List IIS Global Modules (Detection Audit)

    Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Get-WebGlobalModule'. No system changes made.

  2. Test 2Write Test DLL to IIS Directory

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\Windows\System32\inetsrv\df00tech-test.dll, Image=powershell.exe.

  3. Test 3Check applicationHost.config for Module Registrations

    Expected signal: Sysmon EventCode 11: Read access to applicationHost.config (if configured for read monitoring). Sysmon EventCode 1: powershell.exe process.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1505.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.002Transport AgentT1505.003Web ShellT1505.005Terminal Services DLLT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1505.003Web ShellT1505.002Transport AgentT1190Exploit Public-Facing ApplicationT1070.006Timestomp

Same Tactic: Persistence

Popular Detections