Detectionmediumtest

ETW Logging/Processing Option Disabled On IIS Server

Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Sun Oct 06a5b40a90-baf5-4bf7-a6f7-373494881d22windows

Log Source

Windowsiis-configuration

ProductWindows← raw: windows

Serviceiis-configuration← raw: iis-configuration

Detection Logic

detection:
    selection:
        EventID: 29
        Configuration|endswith: '@logTargetW3C'
        OldValue|contains: 'ETW'
    filter_main_etw_added:
        NewValue|contains: 'ETW'
    condition: selection and not 1 of filter_main_*

False Positives

Legitimate administrator activity

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence

Sub-techniques

T1562.002 · Disable Windows Event Logging T1505.004 · IIS Components

Rule Metadata

Rule ID

a5b40a90-baf5-4bf7-a6f7-373494881d22

Status

test

Level

medium

Type

Detection

Created

Sun Oct 06

Author

François Hubaut, Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml

Raw Tags

attack.defense-evasionattack.persistenceattack.t1562.002attack.t1505.004

View on GitHub