Server Software Component: IIS Components

Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.[1][2][3][4]

Adversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.[2][1][5][6][4][7]

Adversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.[8][4][9]

ID: T1505.004
Sub-technique of:  T1505
Tactic: Persistence
Platforms: Windows
Permissions Required: Administrator, SYSTEM
Contributors: Wes Hurd
Version: 1.0
Created: 03 June 2021
Last Modified: 17 October 2021

Procedure Examples

ID Name Description
S1022 IceApple

IceApple is an IIS post-exploitation framework, consisting of 18 modules that provide several functionalities.[10]

C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group targeted Windows servers running Internet Information Systems (IIS) to install C2 components.[11]

S0072 OwaAuth

OwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (owaauth.dll). The IIS w3wp.exe process then loads the malicious DLL.[6]

S0258 RGDoor

RGDoor establishes persistence on webservers as an IIS module.[12][9]

Mitigations

ID Mitigation Description
M1047 Audit

Regularly check installed IIS components to verify the integrity of the web server and identify if unexpected changes have been made.

M1045 Code Signing

Ensure IIS DLLs and binaries are signed by the correct application developers.

M1038 Execution Prevention

Restrict unallowed ISAPI extensions and filters from running by specifying a list of ISAPI extensions and filters that can run on IIS.[13]

M1026 Privileged Account Management

Do not allow administrator accounts that have permissions to add IIS components to be used for day-to-day operations that may expose these permissions to potential adversaries and/or other unprivileged systems.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor execution and command-line arguments of AppCmd.exe, which may be abused to install malicious IIS modules.[8][12][9]

DS0022 File File Creation

Monitor for creation of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules.

File Modification

Monitor for modification of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules. Changes to %windir%\system32\inetsrv\config\applicationhost.config could indicate an IIS module installation.[8][9]

References