Analytics Story: IIS Components

Date: 2022-12-19 ID: 0fbde550-8252-43ab-a26a-03976f55b58b Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence.

Why it matters

IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions - Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers. Adversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts. Adversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests. (reference MITRE)

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Disable Windows Event Logging Disable HTTP Logging Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components TTP
Windows IIS Components Add New Module Server Software Component, IIS Components Anomaly
Windows IIS Components Get-WebGlobalModule Module Query IIS Components, Server Software Component Hunting
Windows IIS Components Module Failed to Load Server Software Component, IIS Components Anomaly
Windows IIS Components New Module Added Server Software Component, IIS Components TTP
Windows PowerShell Add Module to Global Assembly Cache Server Software Component, IIS Components TTP
Windows PowerShell Disable HTTP Logging Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components TTP
Windows PowerShell IIS Components WebGlobalModule Usage Server Software Component, IIS Components Anomaly
Windows Server Software Component GACUtil Install to GAC Server Software Component, IIS Components TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Installed IIS Modules Windows icon Windows Pwsh:InstalledIISModules powershell://AppCmdModules
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Application 2282 Windows icon Windows XmlWinEventLog XmlWinEventLog:Application
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows IIS 29 Windows icon Windows IIS:Configuration:Operational IIS:Configuration:Operational

References

Source: GitHub | Version: 1