Detectionhightest

HTTP Logging Disabled On IIS Server

Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Sun Oct 06e8ebd53a-30c2-45bd-81bb-74befba07bdbwindows

Log Source

Windowsiis-configuration

ProductWindows← raw: windows

Serviceiis-configuration← raw: iis-configuration

Detection Logic

detection:
    selection:
        EventID: 29
        Configuration: '/system.webServer/httpLogging/@dontLog'
        NewValue: 'true'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence

Sub-techniques

T1562.002 · Disable Windows Event Logging T1505.004 · IIS Components

Rule Metadata

Rule ID

e8ebd53a-30c2-45bd-81bb-74befba07bdb

Status

test

Level

high

Type

Detection

Created

Sun Oct 06

Author

François Hubaut

Path

rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml

Raw Tags

attack.defense-evasionattack.persistenceattack.t1562.002attack.t1505.004

View on GitHub