Description
Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
Adversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)
Adversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)
Platforms
Mitigations (4)
Privileged Account ManagementM1026
Do not allow administrator accounts that have permissions to add IIS components to be used for day-to-day operations that may expose these permissions to potential adversaries and/or other unprivileged systems.
Execution PreventionM1038
Restrict unallowed ISAPI extensions and filters from running by specifying a list of ISAPI extensions and filters that can run on IIS.(Citation: Microsoft ISAPICGIRestriction 2016)
AuditM1047
Regularly check installed IIS components to verify the integrity of the web server and identify if unexpected changes have been made.
Code SigningM1045
Ensure IIS DLLs and binaries are signed by the correct application developers.
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S0258 | RGDoor | Malware | [RGDoor](https://attack.mitre.org/software/S0258) establishes persistence on webservers as an IIS module.(Citation: Unit 42 RGDoor Jan 2018)(Citation:... |
| S1022 | IceApple | Malware | [IceApple](https://attack.mitre.org/software/S1022) is an IIS post-exploitation framework, consisting of 18 modules that provide several functionaliti... |
| S0072 | OwaAuth | Malware | [OwaAuth](https://attack.mitre.org/software/S0072) has been loaded onto Exchange servers and disguised as an ISAPI filter (owaauth.dll). The IIS w3wp.... |
Related CWE Weaknesses
References
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
- Grunzweig, J. (2013, December 9). The Curious Case of the Malicious IIS Module. Retrieved June 3, 2021.
- Hromcová, Z., Cherepanov, A. (2021). Anatomy of Native IIS Malware. Retrieved September 9, 2021.
- Julien. (2011, February 2). IIS Backdoor. Retrieved June 3, 2021.
- Microsoft. (2007, November 24). IIS Modules Overview. Retrieved June 17, 2021.
- Microsoft. (2017, June 16). Intercepting All Incoming IIS Requests. Retrieved June 3, 2021.
- Microsoft. (2017, June 16). ISAPI Extension Overview. Retrieved June 3, 2021.
- Microsoft. (2017, June 16). ISAPI Filter Overview. Retrieved June 3, 2021.
- MMPC. (2012, October 3). Malware signed with the Adobe code signing certificate. Retrieved June 3, 2021.
Frequently Asked Questions
What is T1505.004 (IIS Components)?
T1505.004 is a MITRE ATT&CK technique named 'IIS Components'. It belongs to the Persistence tactic(s). Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the we...
How can T1505.004 be detected?
Detection of T1505.004 (IIS Components) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1505.004?
There are 4 documented mitigations for T1505.004. Key mitigations include: Privileged Account Management, Execution Prevention, Audit, Code Signing.
Which threat groups use T1505.004?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.