Windows PowerShell Used to Disable HTTP Logging

Attackers are increasingly targeting HTTP logging mechanisms to evade detection and cover their tracks. This involves disabling or manipulating HTTP logs, making it difficult for security teams to investigate incidents and attribute malicious activity. This behavior is typically observed post-exploitation, where adversaries seek to maintain persistence and move laterally within a compromised environment. The detection focuses on identifying PowerShell commands used to disable HTTP logging properties, specifically by using get-WebConfigurationProperty and Set-ItemProperty cmdlets to set logging-related values to “false” or “dontLog”. Detecting this behavior is crucial as it signifies an active attempt to subvert security controls and maintain a covert presence within the targeted network. Disabling HTTP logging can significantly impede incident response efforts.

Attack Chain

1. Initial access is achieved through an unknown method (e.g., exploiting a vulnerability or compromised credentials).
2. The attacker gains a foothold on a Windows system within the target environment.
3. The attacker launches PowerShell, often with obfuscation techniques to evade basic detection measures.
4. The attacker executes the get-WebConfigurationProperty cmdlet to query the current HTTP logging settings.
5. The attacker then uses the Set-ItemProperty cmdlet to modify the HTTP logging configuration, setting properties such as Logfile.enabled or httpLogging to false or dontLog.
6. The attacker verifies the changes to ensure HTTP logging has been disabled.
7. The attacker continues with their objectives, such as lateral movement, data exfiltration, or deploying web shells like those described in the references.
8. HTTP logs are no longer generated, hindering the ability to trace attacker activity and perform effective incident response.

Impact

Disabling HTTP logging allows attackers to operate without leaving easily accessible traces, significantly complicating incident response and forensic investigations. Attackers can maintain persistence, escalate privileges, and exfiltrate sensitive data without detection. Successful disabling of logging can extend the dwell time of the attacker within the environment, potentially leading to significant data breaches, financial losses, and reputational damage.

Recommendation

• Enable PowerShell Script Block Logging on all critical endpoints to capture the commands executed, as this is the primary data source for the provided Sigma rules and the original Splunk detection.
• Deploy the Sigma rule “PowerShell Disabling HTTP Logging” to detect the specific PowerShell commands used to disable HTTP logging and tune it to your environment.
• Review historical PowerShell Script Block Logging data for indicators of HTTP logging manipulation.
• Investigate any alerts generated by the Sigma rule, focusing on the user and process context of the PowerShell execution.
• Monitor systems for unexpected modifications to IIS configuration files, as referenced in the Microsoft Security Blog.