cscli scenarios install sigmahq/proc_creation_win_iis_susp_module_registration1type: trigger2name: sigmahq/proc_creation_win_iis_susp_module_registration3description: |4 Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.ParentImage endsWith '\\w3wp.exe' && (evt.Parsed.CommandLine contains 'appcmd.exe add module' || evt.Parsed.CommandLine contains ' system.enterpriseservices.internal.publish' && evt.Parsed.Image endsWith '\\powershell.exe' || evt.Parsed.CommandLine contains 'gacutil' && evt.Parsed.CommandLine contains ' /I'))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t1505.0041516 label: "Suspicious IIS Module Registration"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324