T1505.004 Suspicious IIS Module Registration

T1505.004 - Suspicious IIS Module Registration

DESCRIPTION

Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors. Author: Florian Roth (Nextron Systems), Microsoft (idea)

Example:

NA

Reference: https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
https://github.com/SigmaHQ/sigma/blob/8dc32d6dffe89f014912dea9719e6a95577a6725/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml#L12

Related

ATT&CK TACTICS

T1505.004 - Server Software Component: IIS Components

Data Source(s): Command, Process

SENTINEL RULE QUERY

let selection_cli_3 = dynamic(['gacutil','/I']);
DeviceProcessEvents
| where InitiatingProcessFolderPath endswith "\\w3wp.exe"
| where ProcessCommandLine has "appcmd.exe add module" or
        (ProcessCommandLine has "system.enterpriseservices.internal.publish" and FolderPath endswith "\\powershell.exe") or
        (ProcessCommandLine has_all (selection_cli_3))

Triage

1. This is high-confidence detection, examine IIS extensions module created
2. If not expected, analyse the module sample

Falsepositives:

1. Administrative activity

VERSION

Version 1.0 (date: 26/10/2023)