Merge PR #4935 from @frack113 - Add new IIS logsource and related rules

chore: add "Microsoft-IIS-Configuration/Operational" support to the tests and thor.yml new: ETW Logging/Processing Option Disabled On IIS Server new: HTTP Logging Disabled On IIS Server new: New Module Module Added To IIS Server new: Previously Installed IIS Module Was Removed --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
SigmaHQ · Oct 6, 2024 · c70fff4 · c70fff4
1 parent 8a3f074
commit c70fff4
Show file tree

Hide file tree

Showing 6 changed files with 133 additions and 1 deletion.
diff --git a/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml b/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml
@@ -0,0 +1,28 @@
+title: ETW Logging/Processing Option Disabled On IIS Server
+id: a5b40a90-baf5-4bf7-a6f7-373494881d22
+status: experimental
+description: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
+references:
+    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
+    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
+    - https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/
+author: frack113, Nasreddine Bencherchali
+date: 2024-10-06
+tags:
+    - attack.defense-evasion
+    - attack.t1562.002
+    - attack.t1505.004
+logsource:
+    product: windows
+    service: iis-configuration
+detection:
+    selection:
+        EventID: 29
+        Configuration|endswith: '@logTargetW3C'
+        OldValue|contains: 'ETW'
+    filter_main_etw_added:
+        NewValue|contains: 'ETW'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Legitimate administrator activity
+level: medium
diff --git a/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml b/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml
@@ -0,0 +1,26 @@
+title: HTTP Logging Disabled On IIS Server
+id: e8ebd53a-30c2-45bd-81bb-74befba07bdb
+status: experimental
+description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
+references:
+    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
+    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
+    - https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
+author: frack113
+date: 2024-10-06
+tags:
+    - attack.defense-evasion
+    - attack.t1562.002
+    - attack.t1505.004
+logsource:
+    product: windows
+    service: iis-configuration
+detection:
+    selection:
+        EventID: 29
+        Configuration: '/system.webServer/httpLogging/@dontLog'
+        NewValue: 'true'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/builtin/iis-configuration/win_iis_module_added.yml b/rules/windows/builtin/iis-configuration/win_iis_module_added.yml
@@ -0,0 +1,44 @@
+title: New Module Module Added To IIS Server
+id: dd857d3e-0c6e-457b-9b48-e82ae7f86bd7
+status: experimental
+description: Detects the addition of a new module to an IIS server.
+references:
+    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
+    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
+    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
+    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
+author: frack113
+date: 2024-10-06
+tags:
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.t1562.002
+    - attack.t1505.004
+logsource:
+    product: windows
+    service: iis-configuration
+detection:
+    selection:
+        EventID: 29
+        Configuration|contains: '/system.webServer/modules/add'
+    filter_main_builtin:
+        NewValue:
+            - 'AnonymousAuthenticationModule'
+            - 'CustomErrorModule'
+            - 'DefaultDocumentModule'
+            - 'DirectoryListingModule'
+            - 'FileCacheModule'
+            - 'HttpCacheModule'
+            - 'HttpLoggingModule'
+            - 'ProtocolSupportModule'
+            - 'RequestFilteringModule'
+            - 'StaticCompressionModule'
+            - 'StaticFileModule'
+            - 'TokenCacheModule'
+            - 'UriCacheModule'
+    filter_main_remove:
+        NewValue: ''
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Legitimate administrator activity
+level: medium
diff --git a/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml b/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml
@@ -0,0 +1,28 @@
+title: Previously Installed IIS Module Was Removed
+id: 9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f
+status: experimental
+description: Detects the removal of a previously installed IIS module.
+references:
+    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
+    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
+    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
+    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
+author: Nasreddine Bencherchali
+date: 2024-10-06
+tags:
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.t1562.002
+    - attack.t1505.004
+logsource:
+    product: windows
+    service: iis-configuration
+detection:
+    selection:
+        EventID: 29
+        Configuration|contains: '/system.webServer/modules/remove'
+    condition: selection
+falsepositives:
+    - Legitimate administrator activity
+# Note: Upgrade after an initial baseline
+level: low
diff --git a/tests/logsource.json b/tests/logsource.json
@@ -96,7 +96,8 @@
                 "dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address"],
                 "appmodel-runtime":["ProcessID", "PackageName", "ImageName", "ApplicationName", "Message"],
                 "capi2":[],
-                "certificateservicesclient-lifecycle-system":[]
+                "certificateservicesclient-lifecycle-system":[],
+                "iis-configuration":[ "PhysicalPath","ConfigPath","EffectiveLocationPath","Configuration","TokenCacheModule","EditOperationType","OldValue","NewValue"]
             }
         },
         "linux":{

diff --git a/tests/thor.yml b/tests/thor.yml
@@ -564,6 +564,11 @@ logsources:
         sources:
             - 'WinEventLog:Microsoft-ServiceBus-Client/Admin'
             - 'WinEventLog:Microsoft-ServiceBus-Client/Operational'
+    windows-iis-configuration:
+        product: windows
+        service: iis-configuration
+        sources:
+            - 'WinEventLog:Microsoft-IIS-Configuration/Operational'
     apache:
         category: webserver
         sources: