Suspicious IIS Module Registration
Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
Sigma rule (View on GitHub)
1title: Suspicious IIS Module Registration
2id: 043c4b8b-3a54-4780-9682-081cb6b8185c
3status: test
4description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
5references:
6 - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
7author: Florian Roth (Nextron Systems), Microsoft (idea)
8date: 2022-08-04
9modified: 2023-01-23
10tags:
11 - attack.persistence
12 - attack.t1505.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_parent:
18 ParentImage|endswith: '\w3wp.exe'
19 selection_cli_1:
20 CommandLine|contains: 'appcmd.exe add module'
21 selection_cli_2:
22 CommandLine|contains: ' system.enterpriseservices.internal.publish'
23 Image|endswith: '\powershell.exe'
24 selection_cli_3:
25 CommandLine|contains|all:
26 - 'gacutil'
27 - ' /I'
28 condition: selection_parent and 1 of selection_cli_*
29falsepositives:
30 - Administrative activity
31level: high
References
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint