IISReset Used to Stop IIS Services
Detects the use of the iisreset.exe utility to stop IIS web services. This is used to prevent users from accessing IIS web resources, thereby releasing/preventing locks which could inhibit ransomware-related encryption.
Sigma rule (View on GitHub)
1title: IISReset Used to Stop IIS Services
2id: 3a56827c-353e-4e86-b429-674abae37f32
3status: experimental
4description: |
5 Detects the use of the iisreset.exe utility to stop IIS web services. This is used to prevent users
6 from accessing IIS web resources, thereby releasing/preventing locks which could inhibit
7 ransomware-related encryption.
8references:
9 - https://engage.morphisec.com/threat-analysis-cicada3301
10author: 'Micah Babinski, Based on Morphisec report by Michael Gorelik (@smgoreli)'
11date: 2024-09-07
12tags:
13 - attack.impact
14 - attack.defense-evasion
15 - attack.t1562
16 - attack.t1562.001
17 - attack.t1529
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_1:
23 - Image|endswith: '\iisreset.exe'
24 - OriginalFileName: 'iisreset.exe.mui'
25 selection_2:
26 CommandLine|contains: '/stop'
27 condition: all of selection_*
28falsepositives:
29 - Legitimate use
30level: medium```
References
-
Discover the latest cybersecurity threat Cicada3301 ransomware and how Morphisec's Anti-Ransomware Assurance Suite thwarted an attack.
Read More
Related rules
- Hyper-V Virtual Machine Discovery Shutdown via Powershell Cmdlets
- Azure Kubernetes Events Deleted
- Dism Remove Online Package
- Diamond Sleet APT Scheduled Task Creation - Registry
- Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback