{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/httplogging/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","iis","httplogging","appcmd","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers with access to an Internet Information Services (IIS) server, potentially through a webshell or other compromised entry point, may disable HTTP logging as a defense evasion technique. This is typically achieved by using the \u003ccode\u003eappcmd.exe\u003c/code\u003e utility with specific arguments to modify the IIS configuration, preventing the server from recording HTTP requests and responses. Disabling logging makes it significantly harder for defenders to detect malicious activity, trace attacker actions, and perform effective incident response. This activity is a common tactic employed by threat actors to obscure their presence and maintain persistence within a compromised environment, particularly when deploying webshells or conducting lateral movement. This behavior is typically observed post-exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the IIS server, possibly via a webshell or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker executes \u003ccode\u003eappcmd.exe\u003c/code\u003e to modify the IIS configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eappcmd.exe\u003c/code\u003e command includes arguments to disable HTTP logging, such as \u003ccode\u003e/dontLog*:*True\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe command targets specific sites, applications, or the entire server depending on the attacker\u0026rsquo;s objectives.\u003c/li\u003e\n\u003cli\u003eIIS configuration files, such as \u003ccode\u003eapplicationHost.config\u003c/code\u003e or \u003ccode\u003eweb.config\u003c/code\u003e, are modified to reflect the changes.\u003c/li\u003e\n\u003cli\u003eHTTP logging is disabled, preventing the server from recording HTTP requests and responses.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious activities, such as deploying webshells, without generating HTTP logs.\u003c/li\u003e\n\u003cli\u003eAttacker maintains persistence and evades detection by preventing forensic analysis.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of IIS HTTP logging can severely impair incident response capabilities. Organizations may be unable to detect malicious activity within their web infrastructure, leading to prolonged compromises and increased damage. This technique can be particularly damaging when attackers deploy webshells or conduct lateral movement within the network. Without HTTP logs, tracing attacker actions and identifying compromised systems becomes significantly more challenging. The impact can range from data breaches to system downtime and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;IIS HTTP Logging Disabled via AppCmd\u0026rdquo; to your SIEM to detect when \u003ccode\u003eappcmd.exe\u003c/code\u003e is used to disable HTTP logging.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with Event ID 1 to capture the execution of \u003ccode\u003eappcmd.exe\u003c/code\u003e with the relevant arguments, enabling detection via the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process of \u003ccode\u003eappcmd.exe\u003c/code\u003e and the user account under which it was executed.\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to IIS configuration files (\u003ccode\u003eapplicationHost.config\u003c/code\u003e, \u003ccode\u003eweb.config\u003c/code\u003e) to detect unauthorized changes to logging settings.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the configuration of IIS HTTP logging to ensure it remains enabled and properly configured.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-iis-http-logging-disabled/","summary":"An attacker with IIS server access can disable HTTP Logging using `appcmd.exe` to evade defenses and prevent forensic analysis, as detected by the execution of `appcmd.exe` with arguments to disable logging.","title":"IIS HTTP Logging Disabled via AppCmd","url":"https://feed.craftedsignal.io/briefs/2024-01-iis-http-logging-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Httplogging","version":"https://jsonfeed.org/version/1.1"}