Detection: Windows IIS Components Get-WebGlobalModule Module Query

Description

The following analytic identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages PowerShell input data to detect this activity by capturing the module names and the image paths of the DLLs. This activity is significant for a SOC because it can indicate an attempt to enumerate installed IIS modules, which could be a precursor to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this could allow an attacker to gain insights into the web server's configuration, potentially leading to further exploitation or privilege escalation.

1`iis_get_webglobalmodule` 
2| stats count min(_time) as firstTime max(_time) as lastTime by host name image 
3| rename host as dest 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| `windows_iis_components_get_webglobalmodule_module_query_filter`

Data Source

Name Platform Sourcetype Source
Powershell Installed IIS Modules Windows icon Windows 'Pwsh:InstalledIISModules' 'powershell://AppCmdModules'

Macros Used

Name Value
iis_get_webglobalmodule sourcetype="Pwsh:InstalledIISModules"
windows_iis_components_get_webglobalmodule_module_query_filter search *
windows_iis_components_get_webglobalmodule_module_query_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1505.004 IIS Components Persistence
T1505 Server Software Component Persistence
KillChainPhase.INSTALLATION
NistCategory.DE_AE
Cis18Value.CIS_10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event False
This configuration file applies to all detections of type hunting.

Implementation

You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040

Known False Positives

This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
IIS Modules have been listed on $dest$. 1 10 10
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset powershell://AppCmdModules Pwsh:InstalledIISModules
Integration ✅ Passing Dataset powershell://AppCmdModules Pwsh:InstalledIISModules

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 3