Techniques
Sample rules
Windows IIS Components Add New Module
- source: splunk
- technicques:
- T1505
- T1505.004
Description
The following analytic identifies the process AppCmd.exe installing a new module into IIS. AppCmd is a utility to manage IIS web sites and App Pools. An adversary may run this command to install a webshell or backdoor. This has been found to be used for credit card scraping, persistence, and further post-exploitation. An administrator may run this to install new modules for a web site or during IIS updates.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process IN ("*install *", "*module *") AND Processes.process="*image*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_iis_components_add_new_module_filter`