EXPLORE
Sign In
← Back to Explore
T1505.004

IIS Components

Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version<...

Windows
14
Detections
2
Sources
0
Threat Actors

BY SOURCE

9splunk_escu5sigma

PROCEDURES (12)

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Http2 detections

Auto-extracted: 2 detections for http

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Powershell1 detections

Auto-extracted: 1 detections for powershell

Service1 detections

Auto-extracted: 1 detections for service

Event Log1 detections

Auto-extracted: 1 detections for event log

Service1 detections

Auto-extracted: 1 detections for service

Http1 detections

Auto-extracted: 1 detections for http

Script Block1 detections

Auto-extracted: 1 detections for script block

Privilege1 detections

Auto-extracted: 1 detections for privilege

DETECTIONS (14)

ETW Logging/Processing Option Disabled On IIS Server
sigmamedium
HTTP Logging Disabled On IIS Server
sigmahigh
New Module Module Added To IIS Server
sigmamedium
Previously Installed IIS Module Was Removed
sigmalow
Suspicious IIS Module Registration
sigmahigh
Windows Disable Windows Event Logging Disable HTTP Logging
splunk_escu
Windows IIS Components Add New Module
splunk_escu
Windows IIS Components Get-WebGlobalModule Module Query
splunk_escu
Windows IIS Components Module Failed to Load
splunk_escu
Windows IIS Components New Module Added
splunk_escu
Windows PowerShell Add Module to Global Assembly Cache
splunk_escu
Windows PowerShell Disable HTTP Logging
splunk_escu
Windows PowerShell IIS Components WebGlobalModule Usage
splunk_escu
Windows Server Software Component GACUtil Install to GAC
splunk_escu