Techniques
Sample rules
Windows IIS Components New Module Added
- source: splunk
- technicques:
- T1505
- T1505.004
Description
The following analytic uses the Windows Event log - Microsoft-IIS-Configuration/Operational - which must be enabled and logged on Windows IIS servers before it can be Splunked. The following analytic identifies newly installed IIS modules. Per Microsoft, IIS modules are not commonly added to a production IIS server, so alerting on this event ID should be enabled.IIS modules can be installed at a global level or at a site level. In detecting malicious IIS modules, it is important to check both the global and site level for unauthorized modules. Regular monitoring of these locations for such modules and comparing against a known good list can help detect and identify malicious IIS modules.
Detection logic
`iis_operational_logs` EventCode=29
| stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message
| rename ComputerName AS dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_iis_components_new_module_added_filter`