Windows Shell Execution from IIS Installation Directory

This detection identifies suspicious activity where command-line interpreters such as cmd.exe, powershell.exe, or pwsh.exe are executed from the Internet Information Services (IIS) installation directory (typically C:\Windows\System32\inetsrv). This behavior is anomalous because legitimate processes should not typically spawn command shells from within the IIS directory. Such activity can indicate successful exploitation of vulnerabilities in software that relies on IIS, such as Microsoft Exchange, where attackers may leverage web shells or other attack vectors to gain a foothold on the system and execute arbitrary commands. The initial Splunk ES search was published in 2026-05-05. Defenders should prioritize investigating any instances of command-line tools executing from the IIS directory to identify and remediate potential security breaches.

Attack Chain

1. An attacker exploits a vulnerability in a web application hosted on IIS, such as ProxyShell or ProxyNotShell in Exchange.
2. The attacker gains initial access to the system and uploads a web shell to a directory accessible by IIS, potentially within the inetpub\wwwroot folder or a subdirectory.
3. The web shell, often written in ASP or ASPX, is executed by IIS when accessed through a web browser.
4. The web shell executes a command-line interpreter (cmd.exe, powershell.exe, or pwsh.exe) from the IIS installation directory (C:\Windows\System32\inetsrv).
5. The command-line interpreter is used to execute arbitrary commands, such as reconnaissance, privilege escalation, or lateral movement.
6. The attacker uses the command-line interpreter to download and execute additional malicious tools, such as Mimikatz or Cobalt Strike beacons.
7. The attacker leverages the compromised system to access sensitive data, such as email, financial records, or intellectual property.
8. The attacker exfiltrates the stolen data to an external server or deploys ransomware to encrypt the system and demand a ransom payment.

Impact

Successful exploitation of IIS and execution of malicious commands can lead to severe consequences, including data breaches, financial losses, and reputational damage. The impact may include the compromise of sensitive data such as customer information, financial records, or intellectual property. In some cases, attackers may deploy ransomware, causing significant disruption to business operations and requiring costly recovery efforts. Organizations in various sectors, including finance, healthcare, and government, may be targeted due to their reliance on IIS-based web applications.

Recommendation

• Enable Sysmon process creation logging (Event ID 1) to capture process execution events, including the parent process, command line, and current directory.
• Deploy the Sigma rule “Detect Windows Shell or Script Execution From IIS Directory” to your SIEM and tune for your environment.
• Investigate any alerts generated by the Sigma rule, focusing on systems running IIS and applications like Exchange.
• Implement application whitelisting to restrict the execution of command-line interpreters from the IIS installation directory.
• Regularly patch and update IIS and related applications to address known vulnerabilities like those targeted by ProxyShell (T1190).