
Summary
This detection rule identifies the addition of a new module to an IIS (Internet Information Services) server. It leverages Windows Event Logs, specifically monitoring Event ID 29 related to the IIS configuration changes. The rule activates when an event indicating a module addition is logged with a specific configuration path indicating the addition under `/system.webServer/modules/add`. The condition also ensures that certain popular built-in modules, which could be added as part of normal administration tasks, are filtered out to minimize false positives. This rule is crucial for detecting potential persistence mechanisms or defense-evasion tactics employed by attackers who might leverage newly added modules to gain unauthorized access or execute malicious activities on the server. The detection is characterized by a medium level of severity, targeting security teams to be vigilant towards module changes which can be indicative of an attack.
Categories
- Web
Data Sources
- Windows Registry
- Application Log
Created: 2024-10-06