• 5 min read
Fantastic IIS Modules and How to Find Them
Comprehensive guide to detecting malicious IIS modules used for persistence, credential theft, and backdoor access on web servers.
iis modules persistence backdoor detection splunk
Originally published on the Splunk Security Blog
Read the full article: Fantastic IIS Modules and How to Find Them
Why IIS Modules?
IIS modules are the ultimate web server persistence:
- Kernel of the web server - Process every request
- Survive reboots - Registered in config
- High privileges - Run as IIS worker process
- Invisible - No files in webroot
Types of Malicious IIS Modules
Credential Harvesters
Intercept and log authentication:
- Basic auth credentials
- Form submissions
- Session tokens
Backdoors
Provide remote access:
- Execute commands via HTTP headers
- File upload/download
- Reverse shells
Traffic Manipulation
Modify responses:
- Inject malware
- Redirect users
- Steal data in transit
Detection Strategies
Module Registration
index=windows EventCode=4688
(CommandLine="*appcmd*add module*" OR CommandLine="*gacutil*")
| table _time, Computer, User, CommandLineapplicationHost.config Changes
index=sysmon EventCode=11
TargetFilename="*applicationHost.config*"
| table _time, Computer, User, TargetFilenameNew DLLs in IIS Paths
index=sysmon EventCode=11
(TargetFilename="*\\inetpub\\*" OR TargetFilename="*\\System32\\inetsrv\\*")
TargetFilename="*.dll"
| table _time, Computer, TargetFilename, HashesUnsigned Module Loads
index=sysmon EventCode=7
Image="*\\w3wp.exe"
Signed="false"
| table _time, Computer, ImageLoaded, SignatureKnown Malicious Modules
- IIS-Raid - Credential harvester
- Owowa - Exchange backdoor
- SessionManager - APT backdoor
- FinFisher - Commercial spyware
Baseline Your Environment
Know what’s normal:
# List installed modules
Get-WebGlobalModule | Select Name, Image
Get-WebManagedModule | Select Name, TypeDefense
- Baseline legitimate modules
- Monitor applicationHost.config
- Alert on new DLLs in IIS directories
- Verify module signatures
- Regular IIS audits
Read the full guide: Fantastic IIS Modules and How to Find Them
Related Modules
Active
SequelEyes
SQL, IIS, Oh My... Detection and hunting tools for SQL Server and IIS security.
sql iis windows detection +1