This detection rule identifies potential malicious installations of IIS native-code modules via command line execution. It focuses on tracking processes that utilize 'appcmd.exe' to install IIS modules. The detection logic relies on two key components: first, it monitors for command-line entries that contain both 'install' and 'module', while also ensuring they have the argument '-name:' followed by the expected parameters. Secondly, only instances of 'appcmd.exe' initiated from 'C:\Windows\System32\inetsrv\iissetup.exe' are evaluated, preventing false positives from regular 'appcmd.exe' executions. The rule emphasizes persistence mechanisms often employed by threat actors to gain unauthorized access to web servers. Given the complexity of IIS module installations, organizations are cautioned that legitimate administrative actions may trigger alerts, necessitating a thorough investigation of each instance to assess whether it is indeed malicious or a standard operational procedure.