Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0184: Analytic 0184

Adversary installs or modifies IIS components (ISAPI filters, extensions, or modules) using DLL files registered via configuration changes or administrative tools like AppCmd.exe. These components intercept or manipulate HTTP requests/responses for persistence or C2.

EnterpriseAN0184AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic concerns a Windows IIS risk pattern: unauthorized installation or modification of IIS components such as ISAPI filters, extensions, or modules using DLLs registered through configuration changes or administrative tools. For leaders, the practical issue is that web server components can become a durable control point inside an application path, allowing an intruder to intercept or manipulate HTTP traffic for persistence or command-and-control as described by ATT&CK.

Executive priority

Prioritize this where IIS supports externally facing applications, regulated services, or business-critical portals. The decision value is whether the organization can prove who changed IIS configuration, what DLLs are loaded by IIS, and whether web-server change control is monitored with enough detail for incident response and audit evidence. Because ATT&CK provides no official detection text or relationship context for this analytic, coverage should be validated locally rather than assumed from tool presence.

Technical view

For SOC, detection engineering, and IR teams, validate visibility on Windows IIS hosts for changes that register or alter ISAPI filters, extensions, or modules, especially DLL-backed components and use of administrative tooling such as AppCmd.exe. Baseline expected IIS modules and configuration state per server role, then investigate deviations, newly referenced DLL paths, unsigned or unexpected binaries where local policy supports that review, and configuration changes outside approved maintenance windows. Treat this as a web-server persistence/C2-relevant detection theme, but do not map it to additional tactics beyond the supplied ATT&CK object.

Likely telemetry

  • Windows process execution telemetry for IIS administration activity, including AppCmd.exe where collected
  • IIS configuration change records or file integrity monitoring for IIS configuration files
  • Inventory or configuration-state data showing registered IIS modules, ISAPI filters, and ISAPI extensions
  • File creation or modification telemetry for DLLs referenced by IIS components
  • Change-management records for approved IIS component updates

Detection direction

  • Confirm whether telemetry exists on all Windows IIS servers, not just workstations or domain controllers.
  • Build baselines of approved IIS components and alert on new, removed, or modified DLL-backed registrations.
  • Tune for legitimate administrative activity by correlating with maintenance windows, deployment pipelines, and change tickets.
  • Review AppCmd.exe and equivalent administrative configuration changes in context; the tool itself may be legitimate, so the detection value comes from the target setting, actor, timing, and resulting component path.
  • Account for blind spots such as unmanaged IIS hosts, insufficient command-line capture, missing file integrity monitoring, or configuration changes made by authorized deployment systems that are not centrally logged.

Mitigation priorities

  • Maintain an authoritative inventory of IIS servers and approved IIS modules, ISAPI filters, and extensions.
  • Enforce change control for IIS configuration and component deployment on Windows servers.
  • Restrict administrative access to IIS configuration to approved operators and service accounts.
  • Monitor and retain evidence for IIS configuration changes, process execution, and DLL file changes on web servers.
  • Use incident response playbooks to compare current IIS component state against a known-good baseline and to preserve related configuration and host telemetry.
Analyst notes and limits

This Glexia take is based only on ATT&CK analytic AN0184. The object describes modification or installation of IIS components using DLLs registered through configuration changes or tools such as AppCmd.exe, with relevance to persistence or C2. No official detection logic, tactics list, mitigations, procedure examples, or relationships were supplied, so recommendations focus on defensible validation and telemetry readiness.

ATT&CK did not provide detection text or relationship context for this analytic. Local IIS architecture, deployment practices, logging configuration, and change-management data are required to determine priority, false-positive patterns, and actual detection coverage.

Official MITRE ATT&CK definition

Analytic 0184

Adversary installs or modifies IIS components (ISAPI filters, extensions, or modules) using DLL files registered via configuration changes or administrative tools like AppCmd.exe. These components intercept or manipulate HTTP requests/responses for persistence or C2.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
92e3241c56a5355c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 92e3241c56a5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0184
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use