Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Successful IIS Shortname Fuzzing Scan

When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Wed Oct 06Updated Mon Jan 027cb02516-6d95-4ffc-8eee-162075e111acweb
Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        cs-uri-query|contains: '~1'
        cs-uri-query|endswith: 'a.aspx'
        cs-method:
            - GET
            - OPTIONS
        # Success only
        sc-status:
            - 200
            - 301
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
2
Resolving title…
exploit-db.com
3
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
7cb02516-6d95-4ffc-8eee-162075e111ac
Status
test
Level
medium
Type
Detection
Created
Wed Oct 06
Modified
Mon Jan 02
Author
François Hubaut
Path
rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml
Raw Tags
attack.initial-accessattack.t1190
View on GitHub