T1505.004 Sumo Logic CSE · Sumo

Detect IIS Components in Sumo Logic CSE

Adversaries install malicious ISAPI extensions, ISAPI filters, or IIS modules on Internet Information Services (IIS) web servers to establish persistent access. These components are DLLs loaded by the IIS worker process (w3wp.exe) and have unrestricted access to all HTTP requests and responses. RGDoor (OilRig) and OwaAuth (Threat Group-3390) used this technique. IceApple is an IIS post-exploitation framework with 18 modules. Unlike web shells, IIS components are invisible to directory listing and harder to detect.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.004 IIS Components
Canonical reference
https://attack.mitre.org/techniques/T1505/004/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=windows/sysmon
| where EventID in ("7", "11", "13")
| eval detection_type = ""
// Part 1: IIS Component Registry Registration (Sysmon EventID 13 - RegistryEvent Value Set)
| where (EventID = "13"
    AND (TargetObject matches /(?i)(W3SVC|ISAPI.Filter|ISAPI.Extension|GlobalModules|inetsrv)/)
    AND (Details matches /(?i)\.dll/)
  ) OR
  // Part 2: DLL Written to IIS Directory by Non-Installer Process (Sysmon EventID 11 - FileCreate)
  (EventID = "11"
    AND (TargetFilename matches /(?i)(\\system32\\inetsrv|\\inetpub|\\inetsrv)/)
    AND (TargetFilename matches /(?i)\.dll$/)
    AND NOT (Image matches /(?i)(msiexec|setup|pkgmgr|TiWorker|TrustedInstaller|wusa|dism)\.exe/)
  ) OR
  // Part 3: w3wp.exe Loading DLL from Non-Standard Path (Sysmon EventID 7 - ImageLoad)
  (EventID = "7"
    AND (Image matches /(?i)w3wp\.exe/)
    AND (ImageLoaded matches /(?i)(\\Users\\|\\Temp\\|\\ProgramData\\|\\AppData\\|\\Windows\\Temp\\)/)
    AND (ImageLoaded matches /(?i)\.dll$/)
  )
| eval detection_type = if(EventID = "13"
    AND TargetObject matches /(?i)(W3SVC|ISAPI.Filter|ISAPI.Extension|GlobalModules|inetsrv)/
    AND Details matches /(?i)\.dll/,
    "IIS_Component_Registration",
  if(EventID = "11"
    AND TargetFilename matches /(?i)(\\system32\\inetsrv|\\inetpub|\\inetsrv)/
    AND TargetFilename matches /(?i)\.dll$/,
    "IIS_Dir_DLL_Write",
  if(EventID = "7"
    AND Image matches /(?i)w3wp\.exe/
    AND ImageLoaded matches /(?i)(\\Users\\|\\Temp\\)/,
    "IIS_Non_Standard_Module_Load",
    "Unknown"
  )))
| where detection_type != "Unknown"
| fields _messageTime, host, User, detection_type, Image, CommandLine, TargetFilename, TargetObject, Details, ImageLoaded
| sort by _messageTime desc
high severity high confidence

Sumo Logic query for Sysmon operational events detecting malicious IIS component installation. Covers ISAPI filter/extension registry registration (EventID 13), unauthorized DLL writes to IIS web root and inetsrv directories (EventID 11), and w3wp.exe loading DLLs from user-controlled paths indicating potential IceApple-style module injection (EventID 7).

Data Sources

Windows Sysmon Operational Log (via Sumo Logic Windows collector)Sumo Logic Cloud SIEM Enterprise normalized Windows events

Required Tables

_sourceCategory=windows/sysmon

False Positives & Tuning

  • Legitimate third-party IIS modules installed via vendor MSI packages during patch cycles — the installer process (msiexec.exe) is excluded, but custom wrapper scripts calling robocopy or xcopy to deploy DLLs would trigger the file write detection
  • IIS URL Rewrite Module or ARR (Application Request Routing) installations that write native DLLs to inetsrv and register in GlobalModules during initial setup
  • Security scanning tools or vulnerability assessment agents that load inspection DLLs into the w3wp.exe process space as part of DAST testing on IIS-hosted applications
Download portable Sigma rule (.yml)

Other platforms for T1505.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List IIS Global Modules (Detection Audit)

    Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Get-WebGlobalModule'. No system changes made.

  2. Test 2Write Test DLL to IIS Directory

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\Windows\System32\inetsrv\df00tech-test.dll, Image=powershell.exe.

  3. Test 3Check applicationHost.config for Module Registrations

    Expected signal: Sysmon EventCode 11: Read access to applicationHost.config (if configured for read monitoring). Sysmon EventCode 1: powershell.exe process.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1505.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.002Transport AgentT1505.003Web ShellT1505.005Terminal Services DLLT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1505.003Web ShellT1505.002Transport AgentT1190Exploit Public-Facing ApplicationT1070.006Timestomp

Same Tactic: Persistence

Popular Detections