5 min read

SharePoint Exploits and the Hidden Threat of IIS Module Persistence

Deep dive into SharePoint exploitation techniques and how attackers use malicious IIS modules for stealthy persistence in enterprise environments.

sharepoint iis persistence detection splunk web-server

Originally published on the Splunk Security Blog
Read the full article: SharePoint Exploits and IIS Module Persistence

The SharePoint Attack Surface

SharePoint servers are high-value targets. They’re often internet-facing, contain sensitive data, and run with elevated privileges. When attackers compromise SharePoint, they frequently establish persistence through malicious IIS modules.

Why IIS Modules?

IIS modules are the perfect hiding spot:

  • Loaded at startup - Survives reboots
  • Runs in IIS context - High privileges
  • Rarely audited - Defenders don’t know what’s normal
  • Full request access - Can intercept credentials, inject content

Attack Chain

  1. Initial Access - Exploit SharePoint vulnerability
  2. Code Execution - Deploy web shell or execute commands
  3. Persistence - Install malicious IIS module
  4. Collection - Intercept authentication, harvest data

Detection Opportunities

New Module Registration

Monitor for unexpected IIS module installations:

index=windows EventCode=4688 
  (CommandLine="*appcmd.exe*install*" OR CommandLine="*gacutil*")
| table _time, Computer, User, CommandLine

Unusual Module Files

Look for DLLs in IIS directories:

index=sysmon EventCode=11 
  TargetFilename="*\\inetpub\\*" TargetFilename="*.dll"
| stats count by TargetFilename, Computer

Defense Recommendations

  • Baseline legitimate IIS modules in your environment
  • Monitor applicationHost.config for changes
  • Alert on new DLLs in web directories
  • Regular SharePoint patching

Read the full analysis: SharePoint Exploits and IIS Module Persistence

Related Modules