---
action: global
title: IIS Native-Code Module Command Line Installation
description: Detects suspicious IIS native-code module installations via command line
status: experimental
references:
    - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
author: Florian Roth
tags:
    - attack.persistence
    - attack.t1100
detection:
    selection:
        CommandLine: 
            - '*\APPCMD.EXE install module /name:*'
    condition: selection
falsepositives: 
    - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
level: medium
---
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
---
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
    selection:
        EventID: 4688