T1505.004 Microsoft Sentinel · KQL

Detect IIS Components in Microsoft Sentinel

Adversaries install malicious ISAPI extensions, ISAPI filters, or IIS modules on Internet Information Services (IIS) web servers to establish persistent access. These components are DLLs loaded by the IIS worker process (w3wp.exe) and have unrestricted access to all HTTP requests and responses. RGDoor (OilRig) and OwaAuth (Threat Group-3390) used this technique. IceApple is an IIS post-exploitation framework with 18 modules. Unlike web shells, IIS components are invisible to directory listing and harder to detect.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.004 IIS Components
Canonical reference
https://attack.mitre.org/techniques/T1505/004/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1505.004 — Malicious IIS Components detection
// ISAPI filters/extensions registered in IIS configuration and loaded by w3wp.exe
// Part 1: Detect DLL registration in IIS configuration registry paths
let IISComponentReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    "W3SVC",
    "ISAPI Filter",
    "ISAPI Extension",
    "GlobalModules",
    "IIS\\FastCGI",
    "system32\\inetsrv"
  )
| where RegistryValueName has_any ("FilterDLLs", "Path", "ImagePath", "DLL", "Filename")
| where RegistryValueData has ".dll"
| extend DetectionType = "IIS_Component_Registration"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect DLL writes to IIS directories from unexpected processes
let IISDirWrite = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any ("\\system32\\inetsrv\\", "\\iis\\",
                            "\\inetsrv\\", "\\inetpub\\")
| where FileName endswith ".dll"
| where InitiatingProcessFileName !in~ ("msiexec.exe", "setup.exe", "pkgmgr.exe",
                                         "TiWorker.exe", "TrustedInstaller.exe",
                                         "wusa.exe", "dism.exe")
| extend DetectionType = "IIS_DLL_Write"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect unusual DLL loads by w3wp.exe from non-standard paths
let IISUnexpectedLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "w3wp.exe"
| where FolderPath has_any ("\\Users\\", "\\Temp\\", "\\ProgramData\\",
                            "\\AppData\\", "\\Windows\\Temp\\")
| where FileName endswith ".dll"
| extend DetectionType = "IIS_Non_Standard_DLL_Load"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, DetectionType;
union IISComponentReg, IISDirWrite, IISUnexpectedLoad
| sort by Timestamp desc
critical severity high confidence

Three-part IIS malicious component detection. Part 1 monitors IIS configuration registry paths for new DLL registrations (ISAPI filter/extension/module registration). Part 2 detects DLL writes to IIS system directories by non-installer processes. Part 3 catches w3wp.exe loading DLLs from user-writable locations, indicating a malicious module was installed and is now being loaded.

Data Sources

Windows Registry: Registry Value ModificationFile: File CreationModule: Module LoadMicrosoft Defender for Endpoint

Required Tables

DeviceRegistryEventsDeviceFileEventsDeviceImageLoadEvents

False Positives & Tuning

  • Legitimate IIS module installations for anti-virus scanning, WAF, or URL rewriting (URL Rewrite Module, Application Request Routing)
  • Windows Updates applying patches to IIS components via TrustedInstaller/wusa
  • Third-party web application security products installing ISAPI filters for request inspection
  • Web application framework installations (ASP.NET, PHP for Windows, etc.) registering their respective ISAPI extensions
Download portable Sigma rule (.yml)

Other platforms for T1505.004

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List IIS Global Modules (Detection Audit)

    Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Get-WebGlobalModule'. No system changes made.

  2. Test 2Write Test DLL to IIS Directory

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\Windows\System32\inetsrv\df00tech-test.dll, Image=powershell.exe.

  3. Test 3Check applicationHost.config for Module Registrations

    Expected signal: Sysmon EventCode 11: Read access to applicationHost.config (if configured for read monitoring). Sysmon EventCode 1: powershell.exe process.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1505.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.002Transport AgentT1505.003Web ShellT1505.005Terminal Services DLLT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1505.003Web ShellT1505.002Transport AgentT1190Exploit Public-Facing ApplicationT1070.006Timestomp

Same Tactic: Persistence

Popular Detections