T1505.004
Description
The following data was produced to emulate suspicious IIS Module activity on Windows.
MITRE ATT&CK Techniques
| ID | Technique | Tactic |
|---|---|---|
| T1505.004 | IIS Components | Persistence |
Environment Details
| Field | Value |
|---|---|
| Environment | attack_range |
| Directory | T1505.004 |
| Test Date | 2022-12-19 |
Datasets
The following datasets were collected during this attack simulation:
Pwsh_installediismodules
- Path:
/datasets/attack_techniques/T1505.004/pwsh_installediismodules.log - Sourcetype:
iis - Source:
iis
Iis-Configuration-Operational
- Path:
/datasets/attack_techniques/T1505.004/IIS-Configuration-Operational.log - Sourcetype:
iis - Source:
iis
4688_disable_http_logging-Windows-Security
- Path:
/datasets/attack_techniques/T1505.004/4688_disable_http_logging-windows-security.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Security
Appcmd_install-Windows-Sysmon
- Path:
/datasets/attack_techniques/T1505.004/appcmd_install-windows-sysmon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
2282_windows-Application
- Path:
/datasets/attack_techniques/T1505.004/2282_windows-application.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-IIS-W3SVC-WP
4104_disable_http_logging_windows-Powershell
- Path:
/datasets/attack_techniques/T1505.004/4104_disable_http_logging_windows-powershell.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Gacutil_windows-Sysmon
- Path:
/datasets/attack_techniques/T1505.004/gacutil_windows-sysmon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
4104_windows-Powershell
- Path:
/datasets/attack_techniques/T1505.004/4104_windows-powershell.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Gacutil_4688_windows-Security
- Path:
/datasets/attack_techniques/T1505.004/gacutil_4688_windows-security.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Security
Disable_http_logging_windows-Sysmon
- Path:
/datasets/attack_techniques/T1505.004/disable_http_logging_windows-sysmon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Appcmd_4688-Windows-Security
- Path:
/datasets/attack_techniques/T1505.004/appcmd_4688-windows-security.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Security
Related Detections
The following detections in our security content repository use this attack data for testing:
| Detection Name | Type | Source | MITRE ATT&CK | Analytic Story |
|---|---|---|---|---|
| Windows PowerShell Add Module to Global Assembly Cache | TTP |
Endpoint | T1505.004 | IIS Components |
| Windows Disable Windows Event Logging Disable HTTP Logging | TTP |
Endpoint | T1505.004, T1562.002 | IIS Components, CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics |
| Windows IIS Components Add New Module | Anomaly |
Endpoint | T1505.004 | IIS Components, GhostRedirector IIS Module and Rungan Backdoor |
| Windows PowerShell IIS Components WebGlobalModule Usage | Anomaly |
Endpoint | T1505.004 | GhostRedirector IIS Module and Rungan Backdoor, IIS Components |
| Windows IIS Components Get-WebGlobalModule Module Query | Hunting |
Endpoint | T1505.004 | GhostRedirector IIS Module and Rungan Backdoor, IIS Components, WS FTP Server Critical Vulnerabilities |
| Windows PowerShell Disable HTTP Logging | TTP |
Endpoint | T1505.004, T1562.002 | IIS Components, Windows Defense Evasion Tactics |
| Windows IIS Components New Module Added | TTP |
Endpoint | T1505.004 | IIS Components, GhostRedirector IIS Module and Rungan Backdoor |
| Windows Server Software Component GACUtil Install to GAC | TTP |
Endpoint | T1505.004 | IIS Components |
| Windows IIS Components Module Failed to Load | Anomaly |
Endpoint | T1505.004 | IIS Components |
Usage Instructions
Replay with Splunk Attack Data
Replay attack data with replay.py from Splunk Attack Data.
1python replay.py --dataset /datasets/attack_techniques/T1505.004/pwsh_installediismodules.log --index attack_data
Manual Import
- Download the dataset files from the paths listed above
- Configure your Splunk instance with the appropriate sourcetypes
- Import the logs using the Splunk Add Data wizard
Related Content
Find more detections and analytics for this attack technique in our security content repository.
Source: GitHub | Version: 1.0