Reference: https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/

Enable Microsoft-IIS-Configuration Operational.md

Want to identify new IIS modules installed?

Enable Logging

• Lists additional logs available for IIS: wevtutil el | findstr -i IIS
• Configuration for the selected log: wevtutil gl Microsoft-IIS-Configuration/Operational
• Enable the selected log: wevtutil sl /e:true Microsoft-IIS-Configuration/Operational

Once enabled, make a new Splunk App and deploy.

Inputs.conf

[WinEventLog://Microsoft-IIS-Configuration/Operational]
index=win
sourcetype=IIS:Configuration:Operational
disabled = false
###
# Modify cron schedule as you like. Default is once daily. 
# Modify index as needed.
# We recommend this method over the other options provided.
###
[powershell://IISModules]
script = Get-WebGlobalModule
schedule = */1 * * * *
#schedule = 0 0 * * *
sourcetype = Pwsh:InstalledIISModules
index=iis

Scripted Input

This is just additional ways to do the same task. We recommend the above though.

Folder structure:

Appcmd -> default -> inputs.conf

-> bin -> win_iis_modules.bat

#####
# Some extra ways to do this
#
####
#[script://.\bin\win_iis_modules.bat]
#disabled = false
## Run once per day
#interval = 86400
#sourcetype = Script:InstalledIISModules
#index=win

#[powershell://AppCmdModules]
#script = . "$SplunkHome\etc\apps\appcmd\bin\appcmd_modules.ps1"
#schedule = */1 * * * *
#schedule = 0 0 * * *
#sourcetype = Script:InstalledIISModules
#index=iis

win_iis_modules.bat

%windir%\system32\inetsrv\appcmd.exe list modules

appcmd_modules.ps1

$appCmd = "C:\windows\system32\inetsrv\appcmd.exe"
[xml]$list = & $appCmd --% list modules /XML 

$list.appcmd.MODULE