Previously Installed IIS Module Was Removed

 1title: Previously Installed IIS Module Was Removed
 2id: 9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f
 3status: experimental
 4description: Detects the removal of a previously installed IIS module.
 5references:
 6    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
 7    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
 8    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
 9    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
10author: Nasreddine Bencherchali
11date: 2024-10-06
12tags:
13    - attack.defense-evasion
14    - attack.persistence
15    - attack.t1562.002
16    - attack.t1505.004
17logsource:
18    product: windows
19    service: iis-configuration
20detection:
21    selection:
22        EventID: 29
23        Configuration|contains: '/system.webServer/modules/remove'
24    condition: selection
25falsepositives:
26    - Legitimate administrator activity
27# Note: Upgrade after an initial baseline
28level: low

References

• Configure Logging in IIS

  

  You can configure logging on your web server or website that records information about HTTP requests and errors. The information in your log can help you tro...

  
  Read More

• IIS modules: The evolution of web shells and how to detect them  | Microsoft Security Blog

  

  This blog aims to provide further guidance on detecting malicious IIS modules and other capabilities that you can use during your own incident response investigations.

  
  Read More

• Malicious IIS extensions quietly open persistent backdoors into servers | Microsoft Security Blog

  

  Attackers are increasingly leveraging managed IIS extensions as covert backdoors into servers, providing a durable persistence mechanism for attacks.

  
  Read More

• IIS Modules Overview

  

  The IIS 7 and later Web server feature set is componentized into more than thirty independent modules; a module is either a Win32 DLL (native module) or a .N...

  
  Read More

Related rules

• New Module Module Added To IIS Server
• ETW Logging/Processing Option Disabled On IIS Server
• HTTP Logging Disabled On IIS Server
• Potential Suspicious Activity Using SeCEdit
• Potential PrintNightmare Exploitation Attempt