What are the recommended methods to detect an IIS module backdoor?

Detection focuses on inspecting the list of installed modules. Using `APPCMD.EXE list module` from the command line or checking Modules in IIS Manager (inetmgr.exe) will reveal any suspicious entries. Since module DLLs reside in the w3wp.exe process, memory analysis can also identify abnormal loaded modules. Regular audits of module configurations and file integrity checks on the DLLs are effective defenses. For more on bypassing controls, see Testing and Analysis of Bypassing AppLocker Using LUA Scripts.