LoFP / unknown as it may vary from organisation to organisation how admins use to install iis modules

Techniques

Sample rules

IIS Native-Code Module Command Line Installation

source: sigma
technicques:
- t1505
- t1505.003

Description

Detects suspicious IIS native-code module installations via command line

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_iis_setup:
  ParentImage: C:\Windows\System32\inetsrv\iissetup.exe
selection_cli:
  CommandLine|contains|all:
  - install
  - module
  CommandLine|contains|windash: '-name:'
selection_img:
- Image|endswith: \appcmd.exe
- OriginalFileName: appcmd.exe