IIS HTTP Logging Disabled via AppCmd.exe

Attackers may disable HTTP logging on IIS servers to evade detection and remove forensic evidence of their malicious activity. This can be achieved by using the AppCmd.exe utility, a command-line tool for managing IIS. This activity is significant as it can allow adversaries to operate undetected, making it difficult to trace their activities and respond to the intrusion effectively. The attacks have been observed since at least 2022 and target Windows IIS servers. Defenders should monitor for unusual uses of AppCmd.exe that disable or modify HTTP logging settings.

Attack Chain

1. Initial access to the target Windows server via exploitation of a vulnerability, stolen credentials, or other means (not detailed in source).
2. The attacker gains a foothold on the IIS server, establishing a command execution channel (e.g., web shell).
3. The attacker uses AppCmd.exe to query the current HTTP logging settings to understand the baseline configuration.
4. The attacker executes AppCmd.exe with parameters to disable HTTP logging, such as setting dontLog:true or modifying the logging path to an invalid location.
5. The system modifies the IIS configuration to disable or alter HTTP logging as specified by the AppCmd.exe command.
6. The attacker performs malicious activities, such as web shell execution or data exfiltration, without HTTP logs recording these actions.
7. The attacker attempts to maintain persistence on the compromised server using various techniques (not detailed in source).
8. The attacker achieves their objective, such as data theft, system compromise, or further lateral movement within the network.

Impact

Successful disabling of HTTP logging on IIS servers allows attackers to operate without creating easily accessible logs of their activities. This can significantly hinder incident response efforts, as it becomes more difficult to trace the attacker's actions and understand the scope of the compromise. Without logging, defenders may struggle to identify exploited vulnerabilities, detect malicious web shells, or track data exfiltration attempts. This technique is often seen in conjunction with other defense evasion tactics and can prolong the attacker's presence within the environment.

Recommendation

• Deploy the Sigma rule Detect AppCmd Usage to Disable HTTP Logging to identify instances of AppCmd.exe being used to disable HTTP logging (see rules).
• Enable Sysmon process creation logging (Event ID 1) on all Windows servers to ensure visibility of AppCmd.exe execution.
• Investigate any alerts generated by the Sigma rule, focusing on the parent processes and users associated with the AppCmd.exe execution.
• Monitor for unusual changes to IIS configuration files, especially those related to HTTP logging settings.
• Review historical logs for any previous attempts to disable HTTP logging using AppCmd.exe.