{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/logging/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","IIS"],"_cs_severities":["high"],"_cs_tags":["iis","logging","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies the use of \u003ccode\u003eAppCmd.exe\u003c/code\u003e to disable HTTP logging on Internet Information Services (IIS) servers. The technique is significant as adversaries can use it to erase traces of their malicious activities. The detection focuses on process execution events logged by Endpoint Detection and Response (EDR) agents. By disabling HTTP logging, attackers can operate undetected, making it difficult to trace their actions and respond effectively to intrusions. The references indicate this technique has been observed in campaigns attributed to threat actors like OilRig, where IIS backdoors are used.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the system via exploitation of a vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker gains a foothold on the IIS server.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eappcmd.exe\u003c/code\u003e to modify IIS settings.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eappcmd.exe\u003c/code\u003e is executed with parameters to disable HTTP logging, such as \u003ccode\u003ehttplogging\u003c/code\u003e or \u003ccode\u003edontlog:true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe command modifies the IIS configuration, preventing HTTP request logs from being recorded.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions on the compromised server (e.g., web shell deployment, data theft).\u003c/li\u003e\n\u003cli\u003eWith HTTP logging disabled, the attacker\u0026rsquo;s activities are not recorded in standard IIS logs, hindering forensic analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and continues to exploit the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to a significant reduction in visibility into attacker activities on IIS servers. The lack of HTTP logs hinders incident response efforts, making it difficult to identify the scope and nature of the compromise. This could lead to prolonged attacker presence, further data exfiltration, or deployment of malicious software. This technique is a common step to evade defenses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect IIS HTTP Logging Disabled via AppCmd.exe\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture command-line arguments of \u003ccode\u003eappcmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003eappcmd.exe\u003c/code\u003e with command-line arguments related to \u003ccode\u003ehttplogging\u003c/code\u003e or \u003ccode\u003edontlog:true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eappcmd.exe\u003c/code\u003e being executed by non-administrator accounts or unusual parent processes.\u003c/li\u003e\n\u003cli\u003eReview IIS configuration regularly for any unauthorized changes to HTTP logging settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-01T00:00:00Z","date_published":"2024-01-01T00:00:00Z","id":"/briefs/2024-01-disable-iis-logging/","summary":"This analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers, allowing adversaries to evade detection by removing evidence of their actions.","title":"Detection of IIS HTTP Logging Disabled via AppCmd.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-iis-logging/"}],"language":"en","title":"CraftedSignal Threat Feed — Logging","version":"https://jsonfeed.org/version/1.1"}