DET0068: Detection Strategy for T1505.004 - Malicious IIS Components
This detection strategy is tied to malicious IIS components used for persistence on Windows IIS web servers. For leaders, the value is not in the sparse AT...
Analyst context for executives and security teams
This detection strategy is tied to malicious IIS components used for persistence on Windows IIS web servers. For leaders, the value is not in the sparse ATT&CK strategy text itself—MITRE provides no official detection details here—but in recognizing that web server extension points can become durable access mechanisms. Organizations that rely on IIS should be able to prove they know which IIS components are authorized, how changes are reviewed, and whether SOC/IR teams can investigate unexpected DLL-based IIS extensions or filters.
Executive priority
Treat this as a control-assurance question for externally exposed or business-critical IIS services: do we have an inventory of IIS servers and approved components, do we monitor unauthorized changes, and can incident responders quickly determine whether persistence was introduced through IIS extensibility? This matters for operational resilience because persistence on a web server can complicate containment and recovery. It also supports audit and compliance evidence around change control, privileged administration, and monitoring of critical server configurations.
Technical view
The ATT&CK detection strategy object itself has no official description, platforms, tactics, or detection guidance. The only actionable context is its relationship to T1505.004, IIS Components, which is an enterprise Windows persistence technique involving IIS components such as ISAPI extensions and filters deployed as DLL files. SOC and detection engineering teams should validate coverage around IIS configuration changes, new or modified IIS-related DLLs, web server process module loading, and administrative activity that changes IIS extension/filter configuration. IR teams should include IIS component review in persistence triage for Windows web servers.
Likely telemetry
- Windows host file and integrity monitoring for IIS directories and DLL changes
- IIS configuration and administration logs where available
- Windows event logs related to service, process, and configuration activity
- Process and module-load telemetry for IIS worker processes and related web server services
- Change management records for approved IIS extensions, filters, and web application components
Detection direction
- Start by identifying all Windows IIS servers, then baseline authorized IIS components, extensions, filters, and related DLL locations.
- Alert or hunt for newly added, modified, or unusual IIS components that do not match approved change records.
- Correlate IIS component changes with administrative logons, deployment activity, and web server process behavior to reduce false positives from legitimate application releases.
- Validate whether telemetry captures module loads or file changes tied to IIS worker processes; absence of this visibility is a material blind spot.
- Because MITRE provides no detection logic in this object, tune detections using local IIS architecture, deployment practices, and known-good component inventory.
Mitigation priorities
- Maintain an authoritative inventory of IIS servers and approved IIS components.
- Enforce change control for IIS extensions, filters, and DLL deployments on production web servers.
- Restrict administrative privileges on Windows IIS hosts to approved operators and service accounts.
- Use file integrity monitoring or equivalent controls for IIS component paths and configuration files.
- Include IIS component review in incident response playbooks for persistence investigation and recovery validation.
Analyst notes and limits
This take is based on DET0068 and its stated relationship to T1505.004, IIS Components. The detection strategy record contains no official detection text, so the practical guidance is derived only from the related technique description, platform, and tactic context supplied in the relationship.
ATT&CK did not provide official detection content, platforms, or tactics directly on DET0068. Local IIS configuration, logging policy, EDR visibility, deployment model, and approved component inventory are required to turn this into validated detections or audit evidence.
Detection Strategy for T1505.004 - Malicious IIS Components
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1505.004 | IIS Components Sub-technique | This object detects IIS Components. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cf98a26b09c1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0068Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.