Adversary installs or modifies IIS components (ISAPI filters, extensions, or modules) using DLL files registered via configuration changes or administrative tools like AppCmd.exe. These components intercept or manipulate HTTP requests/responses for persistence or C2.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | WinEventLog:Security | EventCode=4663 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Application Log Content (DC0038) | WinEventLog:System | Changes to applicationhost.config or DLLs loaded by w3wp.exe |
| Service Modification (DC0065) | WinEventLog:Microsoft-IIS-Configuration | Module or ISAPI filter registration events |
| Field | Description |
|---|---|
| TimeWindow | Adjustable time frame for detecting chained events (e.g., config change + module load) |
| UserContext | Scope detection to specific users or roles allowed to modify IIS components |
| WatchedPaths | Specific directories such as %windir%\System32\inetsrv\ for DLL monitoring |
| DLLNameEntropyThreshold | Entropy or name patterns to flag suspicious DLLs registered as components |
| ParentProcessName | Restrict to DLLs loaded by w3wp.exe or invoked via AppCmd.exe |