Techniques
Sample rules
Windows IIS Components Module Failed to Load
- source: splunk
- technicques:
- T1505
- T1505.004
Description
The following analytic utilizes EventCode 2282 which generates when a Module DLL could not be loaded due to a configuration problem. This typically occurs when a IIS module is installed but is failing to load. This typically results in thousands of events until the issue is resolved. Review the module that is failing and determine if it is legitimate or not.
Detection logic
`wineventlog_application` EventCode=2282
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode dest Name ModuleDll
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_iis_components_module_failed_to_load_filter`