Detect IIS Components in Splunk
Adversaries install malicious ISAPI extensions, ISAPI filters, or IIS modules on Internet Information Services (IIS) web servers to establish persistent access. These components are DLLs loaded by the IIS worker process (w3wp.exe) and have unrestricted access to all HTTP requests and responses. RGDoor (OilRig) and OwaAuth (Threat Group-3390) used this technique. IceApple is an IIS post-exploitation framework with 18 modules. Unlike web shells, IIS components are invisible to directory listing and harder to detect.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.004 IIS Components
- Canonical reference
- https://attack.mitre.org/techniques/T1505/004/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
EventCode=13 AND
match(TargetObject, "(?i)(W3SVC|ISAPI.Filter|ISAPI.Extension|GlobalModules|inetsrv)") AND
match(Details, "(?i)\.dll"),
"IIS_Component_Registration",
EventCode=11 AND
match(TargetFilename, "(?i)(\\\\system32\\\\inetsrv|\\\\inetpub|\\\\inetsrv)") AND
match(TargetFilename, "(?i)\.dll$") AND
NOT match(Image, "(?i)(msiexec|setup|pkgmgr|TiWorker|TrustedInstaller|wusa|dism)\.exe"),
"IIS_Dir_DLL_Write",
EventCode=7 AND
match(Image, "(?i)w3wp\.exe") AND
match(ImageLoaded, "(?i)(\\\\Users|\\\\Temp|\\\\ProgramData|\\\\AppData|\\\\Windows\\\\Temp)") AND
match(ImageLoaded, "(?i)\.dll$"),
"IIS_Non_Standard_Module_Load",
true(), null()
)
| where isnotnull(detection_type)
| table _time, host, User, detection_type, Image, CommandLine, TargetFilename, TargetObject, Details, ImageLoaded
| sort - _timeDetects malicious IIS component installation via Sysmon. EventCode 13 (Registry Value Set) monitors IIS configuration registry paths for new DLL registrations. EventCode 11 (File Create) catches DLL writes to IIS system directories. EventCode 7 (Image Load) detects w3wp.exe loading modules from user-writable paths outside standard IIS/Windows directories.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate IIS extensions (URL Rewrite, ARR, WebDAV) installed via Windows Server Roles
- Web application frameworks registering ISAPI extensions during installation
- Security product installations adding ISAPI filters for request inspection
Other platforms for T1505.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List IIS Global Modules (Detection Audit)
Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Get-WebGlobalModule'. No system changes made.
- Test 2Write Test DLL to IIS Directory
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\Windows\System32\inetsrv\df00tech-test.dll, Image=powershell.exe.
- Test 3Check applicationHost.config for Module Registrations
Expected signal: Sysmon EventCode 11: Read access to applicationHost.config (if configured for read monitoring). Sysmon EventCode 1: powershell.exe process.
References (5)
- https://attack.mitre.org/techniques/T1505/004/
- https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/
- https://www.crowdstrike.com/blog/iceapple-a-novel-internet-information-services-post-exploitation-framework/
- https://docs.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
Unlock Pro Content
Get the full detection package for T1505.004 including response playbook, investigation guide, and atomic red team tests.