Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Persistence/ T1505.004

T1505.004IIS Components

T1505.004 — IIS Components is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 16 detection use cases covering it and 2 threat-intel articles citing it.

Persistence
View on the matrix → Filter Detection Library MITRE official spec ↗
16Use cases
2Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1505 · Server Software Component

Use cases covering this technique (16)

[WEEKLY] Internet-facing server process spawns interpreter then beacons to first-seen external host within 5 minutes Internal install · alerting DSPDD Windows Disable Windows Event Logging Disable HTTP Logging ESCU actions · hunting P Windows IIS Components Add New Module ESCU actions · hunting P Windows IIS Components Get-WebGlobalModule Module Query ESCU actions · hunting P Windows IIS Components Module Failed to Load ESCU actions · hunting P Windows IIS Components New Module Added ESCU actions · alerting P Windows PowerShell Add Module to Global Assembly Cache ESCU actions · alerting P Windows PowerShell Disable HTTP Logging ESCU actions · alerting P Windows PowerShell IIS Components WebGlobalModule Usage ESCU actions · hunting P Windows Server Software Component GACUtil Install to GAC ESCU actions · alerting P Windows Shell or Script Execution From IIS Directory ESCU actions · hunting P [LLM] BadIIS rogue native module drop in IIS folders (demo.pdb / Chinese path heuristic) Bespoke install · hunting DSΣPDDCS [LLM] BadIIS demo.pdb variant known SHA256 file/process hashes Bespoke install · alerting DSΣPDDCS [LLM] IIS worker (w3wp.exe) initiating outbound connection to public IP Bespoke c2 · hunting DSPDDCS [LLM] IIS native module DLL drop or applicationHost.config modification by non-IIS process Bespoke install · alerting DSΣPDDCS [LLM] IIS worker (w3wp.exe) writing robots.txt / .php / .js into web root Bespoke actions · alerting DSΣPDDCS

Articles citing this technique (2)

high The art of being ungovernable art-228
crit From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat art-265