IIS Native-Code Module Command Line Installation
Detects suspicious IIS native-code module installations via command line
Sigma rule (View on GitHub)
1title: IIS Native-Code Module Command Line Installation
2id: 9465ddf4-f9e4-4ebd-8d98-702df3a93239
3status: test
4description: Detects suspicious IIS native-code module installations via command line
5references:
6 - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
7 - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
8author: Florian Roth (Nextron Systems)
9date: 2019-12-11
10modified: 2024-03-13
11tags:
12 - attack.persistence
13 - attack.t1505.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\appcmd.exe'
20 - OriginalFileName: 'appcmd.exe'
21 selection_cli:
22 CommandLine|contains|all:
23 - 'install'
24 - 'module'
25 CommandLine|contains|windash: '-name:'
26 filter_iis_setup:
27 ParentImage: 'C:\Windows\System32\inetsrv\iissetup.exe'
28 condition: all of selection_* and not 1 of filter_*
29falsepositives:
30 - Unknown as it may vary from organisation to organisation how admins use to install IIS modules
31level: medium
References
Related rules
- Antivirus Web Shell Detection
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- Certificate Request Export to Exchange Webserver
- Chopper Webshell Process Pattern
- DEWMODE Webshell Access