Techniques
Sample rules
Windows IIS Components New Module Added
- source: splunk
- technicques:
- T1505
- T1505.004
Description
The following analytic detects the addition of new IIS modules on a Windows IIS server. It leverages the Windows Event log - Microsoft-IIS-Configuration/Operational, specifically EventCode 29, to identify this activity. This behavior is significant because IIS modules are rarely added to production servers, and unauthorized modules could indicate malicious activity. If confirmed malicious, an attacker could use these modules to execute arbitrary code, escalate privileges, or maintain persistence within the environment, potentially compromising the server and sensitive data.
Detection logic
`iis_operational_logs` EventCode=29
| stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message
| rename ComputerName AS dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_iis_components_new_module_added_filter`