| ID | Technique | Tactic |
|---|---|---|
| T1505.004 | IIS Components | Persistence |
| T1505 | Server Software Component | Persistence |
Detection: Windows IIS Components Get-WebGlobalModule Module Query
Description
The following analytic identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages PowerShell input data to detect this activity by capturing the module names and the image paths of the DLLs. This activity is significant for a SOC because it can indicate an attempt to enumerate installed IIS modules, which could be a precursor to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this could allow an attacker to gain insights into the web server's configuration, potentially leading to further exploitation or privilege escalation.
Search
1`iis_get_webglobalmodule`
2| stats count min(_time) as firstTime max(_time) as lastTime by host name image
3| rename host as dest
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| `windows_iis_components_get_webglobalmodule_module_query_filter`
Data Source
| Name | Platform | Sourcetype | Source | Supported App |
|---|---|---|---|---|
| Powershell Installed IIS Modules |  Windows |
'Pwsh:InstalledIISModules' |
'powershell://AppCmdModules' |
N/A |
Macros Used
| Name | Value |
|---|---|
| iis_get_webglobalmodule | sourcetype="Pwsh:InstalledIISModules" |
| windows_iis_components_get_webglobalmodule_module_query_filter | search * |
windows_iis_components_get_webglobalmodule_module_query_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.INSTALLATION
NistCategory.DE_AE
Cis18Value.CIS_10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | False |
This configuration file applies to all detections of type hunting.
Implementation
You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040
Known False Positives
This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| IIS Modules have been listed on $dest$. | 1 | 10 | 10 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
-
https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/MonitorWindowsdatawithPowerShellscripts
-
https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040
-
https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | powershell://AppCmdModules |
Pwsh:InstalledIISModules |
| Integration | ✅ Passing | Dataset | powershell://AppCmdModules |
Pwsh:InstalledIISModules |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2