title: IIS Native-Code Module Command Line Installation
author: Florian Roth
date: 2012/12/11
description: Detects suspicious IIS native-code module installations via command line
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_2:
        Image: '*\appcmd.exe'
    SELECTION_3:
        CommandLine: '*install*'
    SELECTION_4:
        CommandLine: '*module*'
    SELECTION_5:
        CommandLine: '*/name:*'
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown as it may vary from organisation to arganisation how admins use to install
    IIS modules
id: 9465ddf4-f9e4-4ebd-8d98-702df3a93239
level: medium
logsource:
    category: process_creation
    product: windows
modified: 2020/11/28
references:
- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
status: experimental
tags:
- attack.persistence
- attack.t1505.003
- attack.t1100
yml_filename: win_susp_iss_module_install.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation