IIS Native-Code Module Command Line Installation

 1title: IIS Native-Code Module Command Line Installation
 2id: 9465ddf4-f9e4-4ebd-8d98-702df3a93239
 3status: test
 4description: Detects suspicious IIS native-code module installations via command line
 5references:
 6    - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
 7    - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
 8author: Florian Roth (Nextron Systems)
 9date: 2019/12/11
10modified: 2024/03/13
11tags:
12    - attack.persistence
13    - attack.t1505.003
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\appcmd.exe'
20        - OriginalFileName: 'appcmd.exe'
21    selection_cli:
22        CommandLine|contains|all:
23            - 'install'
24            - 'module'
25        CommandLine|contains|windash: '-name:'
26    filter_iis_setup:
27        ParentImage: 'C:\Windows\System32\inetsrv\iissetup.exe'
28    condition: all of selection_* and not 1 of filter_*
29falsepositives:
30    - Unknown as it may vary from organisation to organisation how admins use to install IIS modules
31level: medium

References

• OilRig uses RGDoor IIS Backdoor on Targets in the Middle East

  

  Unit 42’s continued look into OilRig reveals the use of an Internet Information Services backdoor deployed on government webservers in the Middle East.

  
  Read More

• https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/

  
  Read More

Related rules

• Mailbox Export to Exchange Webserver
• Suspicious Child Process Of SQL Server
• Exchange Webshell creation
• Suspicious Process By Web Server Process
• Chopper Webshell Process Pattern