Suspicious IIS URL GlobalRules Rewrite Via AppCmd

 1title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd
 2id: 7c8af9b2-dcae-41a2-a9db-b28c288b5f08
 3status: test
 4description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
 5references:
 6    - https://twitter.com/malmoeb/status/1616702107242971144
 7    - https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-01-22
10tags:
11    - attack.defense-evasion
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_img:
17        - Image|endswith: '\appcmd.exe'
18        - OriginalFileName: 'appcmd.exe'
19    selection_cli:
20        CommandLine|contains|all:
21            - 'set'
22            - 'config'
23            - 'section:system.webServer/rewrite/globalRules'
24            - 'commit:'
25    condition: all of selection_*
26falsepositives:
27    - Legitimate usage of appcmd to add new URL rewrite rules
28level: medium

References

• x.com

  
  Read More

• How to add re-write global rule with action type "Redirect to Server Farm" in powershell - Microsoft Q&A

  

  Hi, In need to ask, How to add re-write global rule with action type "Redirect to Server Farm" in powershell? I am using below command: .\appcmd.exe set config -section:system.webServer/rewrite/globalRules…

  
  Read More

Related rules

• AD Object WriteDAC Access
• ADS Zone.Identifier Deleted By Uncommon Application
• AMSI Bypass Pattern Assembly GetType
• APT PRIVATELOG Image Load Pattern
• APT27 - Emissary Panda Activity