IIS HTTP Logging Disabled via AppCmd

Attackers with access to an Internet Information Services (IIS) server, potentially through a webshell or other compromised entry point, may disable HTTP logging as a defense evasion technique. This is typically achieved by using the appcmd.exe utility with specific arguments to modify the IIS configuration, preventing the server from recording HTTP requests and responses. Disabling logging makes it significantly harder for defenders to detect malicious activity, trace attacker actions, and perform effective incident response. This activity is a common tactic employed by threat actors to obscure their presence and maintain persistence within a compromised environment, particularly when deploying webshells or conducting lateral movement. This behavior is typically observed post-exploitation.

Attack Chain

1. Attacker gains initial access to the IIS server, possibly via a webshell or exploiting a vulnerability.
2. Attacker executes appcmd.exe to modify the IIS configuration.
3. The appcmd.exe command includes arguments to disable HTTP logging, such as /dontLog*:*True.
4. The command targets specific sites, applications, or the entire server depending on the attacker’s objectives.
5. IIS configuration files, such as applicationHost.config or web.config, are modified to reflect the changes.
6. HTTP logging is disabled, preventing the server from recording HTTP requests and responses.
7. Attacker performs malicious activities, such as deploying webshells, without generating HTTP logs.
8. Attacker maintains persistence and evades detection by preventing forensic analysis.

Impact

Successful disabling of IIS HTTP logging can severely impair incident response capabilities. Organizations may be unable to detect malicious activity within their web infrastructure, leading to prolonged compromises and increased damage. This technique can be particularly damaging when attackers deploy webshells or conduct lateral movement within the network. Without HTTP logs, tracing attacker actions and identifying compromised systems becomes significantly more challenging. The impact can range from data breaches to system downtime and reputational damage.

Recommendation

• Deploy the Sigma rule “IIS HTTP Logging Disabled via AppCmd” to your SIEM to detect when appcmd.exe is used to disable HTTP logging.
• Enable Sysmon process creation logging with Event ID 1 to capture the execution of appcmd.exe with the relevant arguments, enabling detection via the Sigma rules.
• Investigate any alerts generated by the Sigma rule, focusing on the parent process of appcmd.exe and the user account under which it was executed.
• Monitor for modifications to IIS configuration files (applicationHost.config, web.config) to detect unauthorized changes to logging settings.
• Regularly review and validate the configuration of IIS HTTP logging to ensure it remains enabled and properly configured.