MITRE ATT&CK Technique
Description
Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013) Adversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012) Adversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports <code>RegisterModule</code>, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2021-06-03T18:44:29.770Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may install malicious components that run on '
'Internet Information Services (IIS) web servers to establish '
'persistence. IIS provides several mechanisms to extend the '
'functionality of the web servers. For example, Internet '
'Server Application Programming Interface (ISAPI) extensions '
'and filters can be installed to examine and/or modify '
'incoming and outgoing IIS web requests. Extensions and '
'filters are deployed as DLL files that export three '
'functions: <code>Get{Extension/Filter}Version</code>, '
'<code>Http{Extension/Filter}Proc</code>, and (optionally) '
'<code>Terminate{Extension/Filter}</code>. IIS modules may '
'also be installed to extend IIS web servers.(Citation: '
'Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft '
'ISAPI Filter Overview 2017)(Citation: IIS Backdoor '
'2011)(Citation: Trustwave IIS Module 2013)\n'
'\n'
'Adversaries may install malicious ISAPI extensions and '
'filters to observe and/or modify traffic, execute commands on '
'compromised machines, or proxy command and control traffic. '
'ISAPI extensions and filters may have access to all IIS web '
'requests and responses. For example, an adversary may abuse '
'these mechanisms to modify HTTP responses in order to '
'distribute malicious commands/content to previously comprised '
'hosts.(Citation: Microsoft ISAPI Filter Overview '
'2017)(Citation: Microsoft ISAPI Extension Overview '
'2017)(Citation: Microsoft ISAPI Extension All Incoming '
'2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module '
'2013)(Citation: MMPC ISAPI Filter 2012)\n'
'\n'
'Adversaries may also install malicious IIS modules to observe '
'and/or modify traffic. IIS 7.0 introduced modules that '
'provide the same unrestricted access to HTTP requests and '
'responses as ISAPI extensions and filters. IIS modules can be '
'written as a DLL that exports <code>RegisterModule</code>, or '
'as a .NET application that interfaces with ASP.NET APIs to '
'access IIS HTTP requests.(Citation: Microsoft IIS Modules '
'Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: '
'ESET IIS Malware 2021)',
'external_references': [{'external_id': 'T1505.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1505/004'},
{'description': 'Dell SecureWorks Counter Threat Unit '
'Threat Intelligence. (2015, August '
'5). Threat Group-3390 Targets '
'Organizations for Cyberespionage. '
'Retrieved August 18, 2018.',
'source_name': 'Dell TG-3390',
'url': 'https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage'},
{'description': 'Falcone, R. (2018, January 25). '
'OilRig uses RGDoor IIS Backdoor on '
'Targets in the Middle East. '
'Retrieved July 6, 2018.',
'source_name': 'Unit 42 RGDoor Jan 2018',
'url': 'https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/'},
{'description': 'Grunzweig, J. (2013, December 9). '
'The Curious Case of the Malicious '
'IIS Module. Retrieved June 3, 2021.',
'source_name': 'Trustwave IIS Module 2013',
'url': 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/'},
{'description': 'Hromcová, Z., Cherepanov, A. (2021). '
'Anatomy of Native IIS Malware. '
'Retrieved September 9, 2021.',
'source_name': 'ESET IIS Malware 2021',
'url': 'https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf'},
{'description': 'Julien. (2011, February 2). IIS '
'Backdoor. Retrieved June 3, 2021.',
'source_name': 'IIS Backdoor 2011',
'url': 'https://web.archive.org/web/20170106175935/http:/esec-lab.sogeti.com/posts/2011/02/02/iis-backdoor.html'},
{'description': 'Microsoft. (2007, November 24). IIS '
'Modules Overview. Retrieved June 17, '
'2021.',
'source_name': 'Microsoft IIS Modules Overview 2007',
'url': 'https://docs.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview'},
{'description': 'Microsoft. (2017, June 16). '
'Intercepting All Incoming IIS '
'Requests. Retrieved June 3, 2021.',
'source_name': 'Microsoft ISAPI Extension All '
'Incoming 2017',
'url': 'https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525696(v=vs.90)'},
{'description': 'Microsoft. (2017, June 16). ISAPI '
'Extension Overview. Retrieved June '
'3, 2021.',
'source_name': 'Microsoft ISAPI Extension Overview '
'2017',
'url': 'https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525172(v=vs.90)'},
{'description': 'Microsoft. (2017, June 16). ISAPI '
'Filter Overview. Retrieved June 3, '
'2021.',
'source_name': 'Microsoft ISAPI Filter Overview 2017',
'url': 'https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524610(v=vs.90)'},
{'description': 'MMPC. (2012, October 3). Malware '
'signed with the Adobe code signing '
'certificate. Retrieved June 3, 2021.',
'source_name': 'MMPC ISAPI Filter 2012',
'url': 'https://web.archive.org/web/20140804175025/http:/blogs.technet.com/b/mmpc/archive/2012/10/03/malware-signed-with-the-adobe-code-signing-certificate.aspx'}],
'id': 'attack-pattern--b46a801b-fd98-491c-a25a-bca25d6e3001',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:49:15.437Z',
'name': 'IIS Components',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Wes Hurd'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}