DET0068 Detection Strategy for T1505.004 - Malicious IIS Components

Item	Value
ID	DET0068
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1505.004 (IIS Components)

Analytics

Windows

AN0184

Adversary installs or modifies IIS components (ISAPI filters, extensions, or modules) using DLL files registered via configuration changes or administrative tools like AppCmd.exe. These components intercept or manipulate HTTP requests/responses for persistence or C2.

Log Sources

Data Component	Name	Channel
File Modification (DC0061)	WinEventLog:Security	EventCode=4663, 4670, 4656
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Application Log Content (DC0038)	WinEventLog:System	Changes to applicationhost.config or DLLs loaded by w3wp.exe
Service Modification (DC0065)	WinEventLog:Microsoft-IIS-Configuration	Module or ISAPI filter registration events

Mutable Elements

Field	Description
TimeWindow	Adjustable time frame for detecting chained events (e.g., config change + module load)
UserContext	Scope detection to specific users or roles allowed to modify IIS components
WatchedPaths	Specific directories such as %windir%\System32\inetsrv\ for DLL monitoring
DLLNameEntropyThreshold	Entropy or name patterns to flag suspicious DLLs registered as components
ParentProcessName	Restrict to DLLs loaded by w3wp.exe or invoked via AppCmd.exe