this analytic is meant to assist with hunting modules across a fleet of iis servers. filter and modify as needed.

t1505
t1505.004
endpoint
splunk

Techniques

T1505
T1505.004

Sample rules

Windows IIS Components Get-WebGlobalModule Module Query

source: splunk
technicques:
- T1505.004
- T1505

Description

The following analytic requires the use of PowerShell inputs to run Get-WebGlobalModule to list out all the IIS Modules installed. The output is a list of Module names and the Image path of the DLL.

Detection logic

`iis_get_webglobalmodule` 
| stats count min(_time) as firstTime max(_time) as lastTime by host name image 
| rename host as dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_iis_components_get_webglobalmodule_module_query_filter`