Suspicious IIS URL GlobalRules Rewrite Via AppCmd
Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
Sigma rule (View on GitHub)
1title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd
2id: 7c8af9b2-dcae-41a2-a9db-b28c288b5f08
3status: test
4description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
5references:
6 - https://twitter.com/malmoeb/status/1616702107242971144
7 - https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023/01/22
10tags:
11 - attack.defense_evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_img:
17 - Image|endswith: '\appcmd.exe'
18 - OriginalFileName: 'appcmd.exe'
19 selection_cli:
20 CommandLine|contains|all:
21 - 'set'
22 - 'config'
23 - 'section:system.webServer/rewrite/globalRules'
24 - 'commit:'
25 condition: all of selection_*
26falsepositives:
27 - Legitimate usage of appcmd to add new URL rewrite rules
28level: medium
References
Related rules
- Atbroker Registry Change
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Deployment AppX Package Was Blocked By AppLocker
- Deployment Of The AppX Package Was Blocked By The Policy