SigmaHQ/rules/windows/process_creation/win_susp_iss_module_install.yml

23 lines
744 B
YAML
Raw Normal View History

title: IIS Native-Code Module Command Line Installation
2019-11-12 22:12:27 +00:00
id: 9465ddf4-f9e4-4ebd-8d98-702df3a93239
description: Detects suspicious IIS native-code module installations via command line
status: experimental
references:
- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
author: Florian Roth
modified: 2012/12/11
tags:
- attack.persistence
- attack.t1100
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '*\APPCMD.EXE install module /name:*'
condition: selection
falsepositives:
- Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
level: medium