Windows IIS Components Get-WebGlobalModule Module Query

Name:Windows IIS Components Get-WebGlobalModule Module Query
id:20db5f70-34b4-4e83-8926-fa26119de173
version:3
date:2024-10-17
author:Michael Haag, Splunk
status:production
type:Hunting
Description:The following analytic identifies the execution of the PowerShell cmdlet Get-WebGlobalModule, which lists all IIS Modules installed on a system. It leverages PowerShell input data to detect this activity by capturing the module names and the image paths of the DLLs. This activity is significant for a SOC because it can indicate an attempt to enumerate installed IIS modules, which could be a precursor to exploiting vulnerabilities or misconfigurations. If confirmed malicious, this could allow an attacker to gain insights into the web server's configuration, potentially leading to further exploitation or privilege escalation.
Data_source:

• -Powershell Installed IIS Modules

search:`iis_get_webglobalmodule`
| stats count min(_time) as firstTime max(_time) as lastTime by host name image
| rename host as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_iis_components_get_webglobalmodule_module_query_filter`

how_to_implement:You must ingest the PwSh cmdlet Get-WebGlobalModule in order to utilize this analytic. Follow https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040
known_false_positives:This analytic is meant to assist with hunting modules across a fleet of IIS servers. Filter and modify as needed.
References:
  -https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/MonitorWindowsdatawithPowerShellscripts
  -https://gist.github.com/MHaggis/64396dfd9fc3734e1d1901a8f2f07040
  -https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1505.004
drilldown_searches:
  :
tags:
  analytic_story:
    - 'IIS Components'
    - 'WS FTP Server Critical Vulnerabilities'
  asset_type:Endpoint
  confidence:10
  impact:10
  message:IIS Modules have been listed on $dest$.
  mitre_attack_id:
    - 'T1505.004'
    - 'T1505'
  observable:
    name:'dest'
    type:'Hostname'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'host'
    - 'name'
    - 'image'
  risk_score:1
  security_domain:endpoint

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_installediismodules.log
  source: powershell://AppCmdModules
  sourcetype: Pwsh:InstalledIISModules
  update_timestamp: True
manual_test:None