T1505.004 IIS Components Mappings

Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)

Adversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)

Adversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports <code>RegisterModule</code>, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1505.004 IIS Components
AC-3 Access Enforcement Protects T1505.004 IIS Components
AC-4 Information Flow Enforcement Protects T1505.004 IIS Components
AC-6 Least Privilege Protects T1505.004 IIS Components
CA-8 Penetration Testing Protects T1505.004 IIS Components
CM-11 User-installed Software Protects T1505.004 IIS Components
CM-2 Baseline Configuration Protects T1505.004 IIS Components
CM-6 Configuration Settings Protects T1505.004 IIS Components
CM-7 Least Functionality Protects T1505.004 IIS Components
CM-8 System Component Inventory Protects T1505.004 IIS Components
IA-2 Identification and Authentication (organizational Users) Protects T1505.004 IIS Components
RA-5 Vulnerability Monitoring and Scanning Protects T1505.004 IIS Components
SA-10 Developer Configuration Management Protects T1505.004 IIS Components
SA-11 Developer Testing and Evaluation Protects T1505.004 IIS Components
SC-7 Boundary Protection Protects T1505.004 IIS Components
SI-14 Non-persistence Protects T1505.004 IIS Components
SI-16 Memory Protection Protects T1505.004 IIS Components
SI-3 Malicious Code Protection Protects T1505.004 IIS Components
SI-4 System Monitoring Protects T1505.004 IIS Components
SI-7 Software, Firmware, and Information Integrity Protects T1505.004 IIS Components
SR-11 Component Authenticity Protects T1505.004 IIS Components
SR-4 Provenance Protects T1505.004 IIS Components
SR-5 Acquisition Strategies, Tools, and Methods Protects T1505.004 IIS Components
SR-6 Supplier Assessments and Reviews Protects T1505.004 IIS Components