ETW Logging/Processing Option Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
Sigma rule (View on GitHub)
1title: ETW Logging/Processing Option Disabled On IIS Server
2id: a5b40a90-baf5-4bf7-a6f7-373494881d22
3status: experimental
4description: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
5references:
6 - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
7 - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
8 - https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/
9author: frack113, Nasreddine Bencherchali
10date: 2024-10-06
11tags:
12 - attack.defense-evasion
13 - attack.t1562.002
14 - attack.t1505.004
15logsource:
16 product: windows
17 service: iis-configuration
18detection:
19 selection:
20 EventID: 29
21 Configuration|endswith: '@logTargetW3C'
22 OldValue|contains: 'ETW'
23 filter_main_etw_added:
24 NewValue|contains: 'ETW'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Legitimate administrator activity
28level: medium
References
-
You can configure logging on your web server or website that records information about HTTP requests and errors. The information in your log can help you tro...
Read More -
This blog aims to provide further guidance on detecting malicious IIS modules and other capabilities that you can use during your own incident response investigations.
Read More -
Overview The <logFile> element of the <siteDefaults> element contains attributes that allow you to configure default logging for a site on IIS 7...
Read More
Related rules
- HTTP Logging Disabled On IIS Server
- New Module Module Added To IIS Server
- Previously Installed IIS Module Was Removed
- Audit Policy Tampering Via Auditpol
- Audit Policy Tampering Via NT Resource Kit Auditpol