title: IIS Components (T1505.004)
id: df00tech-t1505-004
status: experimental
description: "Adversaries install malicious ISAPI extensions, ISAPI filters, or IIS modules on Internet Information Services (IIS) web servers to establish persistent access. These components are DLLs loaded by the IIS worker process (w3wp.exe) and have unrestricted access to all HTTP requests and responses. RGDoor (OilRig) and OwaAuth (Threat Group-3390) used this technique. IceApple is an IIS post-exploitation framework with 18 modules. Unlike web shells, IIS components are invisible to directory listing and harder to detect."
references:
  - https://attack.mitre.org/techniques/T1505/004/
  - https://df00tech.com/detections/T1505.004
author: df00tech
date: 2026/04/20
tags:
  - attack.t1505.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate IIS module installations for anti-virus scanning, WAF, or URL rewriting (URL Rewrite Module, Application Request Routing)"
  - Windows Updates applying patches to IIS components via TrustedInstaller/wusa
  - Third-party web application security products installing ISAPI filters for request inspection
  - "Web application framework installations (ASP.NET, PHP for Windows, etc.) registering their respective ISAPI extensions"
level: critical