HTTP Logging Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
Sigma rule (View on GitHub)
1title: HTTP Logging Disabled On IIS Server
2id: e8ebd53a-30c2-45bd-81bb-74befba07bdb
3status: experimental
4description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
5references:
6 - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
7 - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
8 - https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
9author: frack113
10date: 2024-10-06
11tags:
12 - attack.defense-evasion
13 - attack.t1562.002
14 - attack.t1505.004
15logsource:
16 product: windows
17 service: iis-configuration
18detection:
19 selection:
20 EventID: 29
21 Configuration: '/system.webServer/httpLogging/@dontLog'
22 NewValue: 'true'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
You can configure logging on your web server or website that records information about HTTP requests and errors. The information in your log can help you tro...
Read More -
This blog aims to provide further guidance on detecting malicious IIS modules and other capabilities that you can use during your own incident response investigations.
Read More -
Overview The <httpLogging> element allows you to configure IIS to generate log entries for only successful requests, failed requests, or both. After yo...
Read More
Related rules
- ETW Logging/Processing Option Disabled On IIS Server
- New Module Module Added To IIS Server
- Previously Installed IIS Module Was Removed
- Audit Policy Tampering Via Auditpol
- Audit Policy Tampering Via NT Resource Kit Auditpol