ID | Technique | Tactic |
---|---|---|
T1505.004 | IIS Components | Persistence |
T1505 | Server Software Component | Persistence |
Detection: Windows IIS Components Get-WebGlobalModule Module Query
Description
The following analytic identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages PowerShell input data to detect this activity by capturing the module names and the image paths of the DLLs. This activity is significant for a SOC because it can indicate an attempt to enumerate installed IIS modules, which could be a precursor to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this could allow an attacker to gain insights into the web server's configuration, potentially leading to further exploitation or privilege escalation.
Search
1`iis_get_webglobalmodule`
2| stats count min(_time) as firstTime max(_time) as lastTime by host name image
3| rename host as dest
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| `windows_iis_components_get_webglobalmodule_module_query_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
Powershell Installed IIS Modules | Windows | 'Pwsh:InstalledIISModules' |
'powershell://AppCmdModules' |
Macros Used
Name | Value |
---|---|
iis_get_webglobalmodule | sourcetype="Pwsh:InstalledIISModules" |
windows_iis_components_get_webglobalmodule_module_query_filter | search * |
windows_iis_components_get_webglobalmodule_module_query_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Risk Event | False |
Implementation
You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040
Known False Positives
This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
IIS Modules have been listed on $dest$. | 1 | 10 | 10 |
References
-
https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/MonitorWindowsdatawithPowerShellscripts
-
https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040
-
https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | powershell://AppCmdModules |
Pwsh:InstalledIISModules |
Integration | ✅ Passing | Dataset | powershell://AppCmdModules |
Pwsh:InstalledIISModules |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 3