title: Certificate Request Export to Exchange Webserver
id: b7bc7038-638b-4ffd-880c-292c692209ef
status: test
description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
references:
    - https://twitter.com/GossiTheDog/status/1429175908905127938
author: Max Altgelt (Nextron Systems)
date: 2021-08-23
modified: 2023-01-23
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    service: msexchange-management
    product: windows
detection:
    keywords_export_command:
        '|all':
            - 'New-ExchangeCertificate'
            - ' -GenerateRequest'
            - ' -BinaryEncoded'
            - ' -RequestFile'
    keywords_export_params:
        - '\\\\localhost\\C$'
        - '\\\\127.0.0.1\\C$'
        - 'C:\\inetpub'
        - '.aspx'
    condition: keywords_export_command and keywords_export_params
falsepositives:
    - Unlikely
level: critical

title: Mailbox Export to Exchange Webserver
id: 516376b4-05cd-4122-bae0-ad7641c38d48
status: test
description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
references:
    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)
date: 2021-08-09
modified: 2023-04-30
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    service: msexchange-management
    product: windows
detection:
    export_command:
        '|all':
            - 'New-MailboxExportRequest'
            - ' -Mailbox '
    export_params:
        - '-FilePath "\\\\' # We care about any share location.
        - '.aspx'
    role_assignment:
        '|all':
            - 'New-ManagementRoleAssignment'
            - ' -Role "Mailbox Import Export"'
            - ' -User '
    condition: (export_command and export_params) or role_assignment
falsepositives:
    - Unlikely
level: critical

title: Webshell Remote Command Execution
id: c0d3734d-330f-4a03-aae2-65dacc6a8222
status: test
description: Detects possible command execution by web application/web shell
references:
    - Personal Experience of the Author
    - https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
author: Ilyas Ochkov, Beyu Denis, oscd.community
date: 2019-10-12
modified: 2025-12-05
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: linux
    service: auditd
    definition: |
        Required auditd configuration:
        -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
        -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
        -a always,exit -F arch=b32 -S execveat -F euid=33 -k detect_execve_www
        -a always,exit -F arch=b64 -S execveat -F euid=33 -k detect_execve_www
        Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33
detection:
    selection:
        type: 'SYSCALL'
        SYSCALL:
            - 'execve'
            - 'execveat'
        euid: 33
    condition: selection
falsepositives:
    - Admin activity
    - Crazy web applications
level: critical

title: Antivirus Web Shell Detection
id: fdf135a2-9241-4f96-a114-bb404948f736
status: test
description: |
    Detects a highly relevant Antivirus alert that reports a web shell.
    It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https://github.com/tennc/webshell
    - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
    - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
    - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
    - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
    - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
    - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
    - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
    - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: antivirus
detection:
    selection:
        - Signature|startswith:
              - 'ASP.'
              - 'IIS/BackDoor'
              - 'JAVA/Backdoor'
              - 'JSP.'
              - 'Perl.'
              - 'PHP.'
              - 'Troj/ASP'
              - 'Troj/JSP'
              - 'Troj/PHP'
              - 'VBS/Uxor' # looking for 'VBS/' would also find downloader's and droppers meant for desktops
        - Signature|contains:
              - 'ASP_' # looking for 'VBS_' would also find downloader's and droppers meant for desktops
              - 'ASP:'
              - 'ASP.Agent'
              - 'ASP/'
              # - 'ASP/Agent'
              - 'Aspdoor'
              - 'ASPXSpy'
              - 'Backdoor.ASP'
              - 'Backdoor.Java'
              - 'Backdoor.JSP'
              - 'Backdoor.PHP'
              - 'Backdoor.VBS'
              - 'Backdoor/ASP'
              - 'Backdoor/Java'
              - 'Backdoor/JSP'
              - 'Backdoor/PHP'
              - 'Backdoor/VBS'
              - 'C99shell'
              - 'Chopper'
              - 'filebrowser'
              - 'JSP_'
              - 'JSP:'
              - 'JSP.Agent'
              - 'JSP/'
              # - 'JSP/Agent'
              - 'Perl:'
              - 'Perl/'
              - 'PHP_'
              - 'PHP:'
              - 'PHP.Agent'
              - 'PHP/'
              # - 'PHP/Agent'
              - 'PHPShell'
              - 'PShlSpy'
              - 'SinoChoper'
              - 'Trojan.ASP'
              - 'Trojan.JSP'
              - 'Trojan.PHP'
              - 'Trojan.VBS'
              - 'VBS.Agent'
              - 'VBS/Agent'
              - 'Webshell'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Chopper Webshell Process Pattern
id: fa3c117a-bc0d-416e-a31b-0c0e80653efb
status: test
description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
references:
    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
author: Florian Roth (Nextron Systems), MSTI (query)
date: 2022-10-01
tags:
    - attack.persistence
    - attack.discovery
    - attack.t1505.003
    - attack.t1018
    - attack.t1033
    - attack.t1087
logsource:
    category: process_creation
    product: windows
detection:
    selection_origin:
        - Image|endswith: '\w3wp.exe'
        - ParentImage|endswith: '\w3wp.exe'
    selection_cmdline:
        CommandLine|contains:
            - '&ipconfig&echo'
            - '&quser&echo'
            - '&whoami&echo'
            - '&c:&echo'
            - '&cd&echo'
            - '&dir&echo'
            - '&echo [E]'
            - '&echo [S]'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Exchange Set OabVirtualDirectory ExternalUrl Property
id: 9db37458-4df2-46a5-95ab-307e7f29e675
status: test
description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
references:
    - https://twitter.com/OTR_Community/status/1371053369071132675
author: Jose Rodriguez @Cyb3rPandaH
date: 2021-03-15
modified: 2023-01-23
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    service: msexchange-management
detection:
    keywords:
        '|all':
            - 'Set-OabVirtualDirectory'
            - 'ExternalUrl'
            - 'Page_Load'
            - 'script'
    condition: keywords
falsepositives:
    - Unknown
level: high

title: Failed MSExchange Transport Agent Installation
id: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa
status: test
description: Detects a failed installation of a Exchange Transport Agent
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-07-12
tags:
    - attack.persistence
    - attack.t1505.002
logsource:
    service: msexchange-management
    product: windows
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        EventID: 6
        Data|contains: 'Install-TransportAgent'
    condition: selection
falsepositives:
    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: high

title: HTTP Logging Disabled On IIS Server
id: e8ebd53a-30c2-45bd-81bb-74befba07bdb
status: test
description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
author: frack113
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration: '/system.webServer/httpLogging/@dontLog'
        NewValue: 'true'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Linux Webshell Indicators
id: 818f7b24-0fba-4c49-a073-8b755573b9c7
status: test
description: Detects suspicious sub processes of web server processes
references:
    - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
    - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-10-15
modified: 2022-12-28
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: linux
    category: process_creation
detection:
    selection_general:
        ParentImage|endswith:
            - '/httpd'
            - '/lighttpd'
            - '/nginx'
            - '/apache2'
            - '/node'
            - '/caddy'
    selection_tomcat:
        ParentCommandLine|contains|all:
            - '/bin/java'
            - 'tomcat'
    selection_websphere:  # ? just guessing
        ParentCommandLine|contains|all:
            - '/bin/java'
            - 'websphere'
    sub_processes:
        Image|endswith:
            - '/whoami'
            - '/ifconfig'
            - '/ip'
            - '/bin/uname'
            - '/bin/cat'
            - '/bin/crontab'
            - '/hostname'
            - '/iptables'
            - '/netstat'
            - '/pwd'
            - '/route'
    condition: 1 of selection_* and sub_processes
falsepositives:
    - Web applications that invoke Linux command line tools
level: high

title: Shellshock Expression
id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e
status: test
description: Detects shellshock expressions in log files
references:
    - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
author: Florian Roth (Nextron Systems)
date: 2017-03-14
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: linux
detection:
    keywords:
        - '(){:;};'
        - '() {:;};'
        - '() { :;};'
        - '() { :; };'
    condition: keywords
falsepositives:
    - Unknown
level: high

title: Suspicious ASPX File Drop by Exchange
id: bd1212e5-78da-431e-95fa-c58e3237a8e6
related:
    - id: 6b269392-9eba-40b5-acb6-55c882b20ba6
      type: similar
status: test
description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
references:
    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
    - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
    - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
author: Florian Roth (Nextron Systems), MSTI (query, idea)
date: 2022-10-01
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\w3wp.exe'
        CommandLine|contains: 'MSExchange'
        TargetFilename|contains:
            - 'FrontEnd\HttpProxy\'           # from GTSC and MSTI reports
            - '\inetpub\wwwroot\aspnet_client\' # from GTSC report
    selection_types:
        TargetFilename|endswith:
            - '.aspx'
            - '.asp'
            - '.ashx'
    condition: all of selection*
falsepositives:
    - Unknown
level: high

title: Suspicious Child Process Of SQL Server
id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
related:
    - id: 344482e4-a477-436c-aa70-7536d18a48c7
      type: obsolete
status: test
description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
references:
    - Internal Research
author: FPT.EagleEye Team, wagga
date: 2020-12-11
modified: 2023-05-04
tags:
    - attack.t1505.003
    - attack.t1190
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\sqlservr.exe'
        Image|endswith:
            # You can add other uncommon or suspicious processes
            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\netstat.exe'
            - '\nltest.exe'
            - '\ping.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\sh.exe'
            - '\systeminfo.exe'
            - '\tasklist.exe'
            - '\wsl.exe'
    filter_optional_datev:
        ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
        ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
        Image: 'C:\Windows\System32\cmd.exe'
        CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
    condition: selection and not 1 of filter_optional_*
level: high

title: Suspicious File Write to SharePoint Layouts Directory
id: 1f0489be-b496-4ddf-b3a9-5900f2044e9c
status: experimental
description: |
    Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
    This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
references:
    - https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
    - https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-24
tags:
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\w3wp.exe'
        TargetFilename|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
            - 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
        TargetFilename|contains:
            - '\15\TEMPLATE\LAYOUTS\'
            - '\16\TEMPLATE\LAYOUTS\'
        TargetFilename|endswith:
            - '.asax'
            - '.ascx'
            - '.ashx'
            - '.asmx'
            - '.asp'
            - '.aspx'
            - '.bat'
            - '.cmd'
            - '.cer'
            - '.config'
            - '.hta'
            - '.js'
            - '.jsp'
            - '.jspx'
            - '.php'
            - '.ps1'
            - '.vbs'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious IIS Module Registration
id: 043c4b8b-3a54-4780-9682-081cb6b8185c
status: test
description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
references:
    - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
author: Florian Roth (Nextron Systems), Microsoft (idea)
date: 2022-08-04
modified: 2023-01-23
tags:
    - attack.persistence
    - attack.t1505.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\w3wp.exe'
    selection_cli_1:
        CommandLine|contains: 'appcmd.exe add module'
    selection_cli_2:
        CommandLine|contains: ' system.enterpriseservices.internal.publish'
        Image|endswith: '\powershell.exe'
    selection_cli_3:
        CommandLine|contains|all:
            - 'gacutil'
            - ' /I'
    condition: selection_parent and 1 of selection_cli_*
falsepositives:
    - Administrative activity
level: high

title: Suspicious MSExchangeMailboxReplication ASPX Write
id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9
status: test
description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
references:
    - https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-25
tags:
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\MSExchangeMailboxReplication.exe'
        TargetFilename|endswith:
            - '.aspx'
            - '.asp'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Process By Web Server Process
id: 8202070f-edeb-4d31-a010-a26c72ac5600
status: test
description: |
    Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
references:
    - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2024-11-26
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1505.003
    - attack.t1190
logsource:
    category: process_creation
    product: windows
detection:
    selection_webserver_image:
        ParentImage|endswith:
            - '\caddy.exe'
            - '\httpd.exe'
            - '\nginx.exe'
            - '\php-cgi.exe'
            - '\php.exe'
            - '\tomcat.exe'
            - '\UMWorkerProcess.exe'  # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
            - '\w3wp.exe'
            - '\ws_TomcatService.exe'
    selection_webserver_characteristics_tomcat1:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentImage|contains:
            - '-tomcat-'
            - '\tomcat'
    selection_webserver_characteristics_tomcat2:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentCommandLine|contains:
            - 'CATALINA_HOME'
            - 'catalina.home'
            - 'catalina.jar'
    selection_anomaly_children:
        Image|endswith:
            - '\arp.exe'
            - '\at.exe'
            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\certutil.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\dsget.exe'
            - '\hostname.exe'
            - '\nbtstat.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\netdom.exe'
            - '\netsh.exe'
            - '\nltest.exe'
            - '\ntdsutil.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\qprocess.exe'
            - '\query.exe'
            - '\qwinsta.exe'
            - '\reg.exe'
            - '\rundll32.exe'
            - '\sc.exe'
            - '\sh.exe'
            - '\wmic.exe'
            - '\wscript.exe'
            - '\wusa.exe'
    filter_main_fp_1:
        ParentImage|endswith: '\java.exe'
        CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
    filter_main_fp_2:
        ParentImage|endswith: '\java.exe'
        CommandLine|contains|all:
            - 'sc query'
            - 'ADManager Plus'
    condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
falsepositives:
    - Particular web applications may spawn a shell process legitimately
level: high

title: Suspicious Windows Strings In URI
id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e
status: test
description: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
references:
    - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-06
modified: 2023-01-02
tags:
    - attack.persistence
    - attack.exfiltration
    - attack.t1505.003
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '=C:/Users'
            - '=C:/Program%20Files'
            - '=C:/Windows'
            - '=C%3A%5CUsers'
            - '=C%3A%5CProgram%20Files'
            - '=C%3A%5CWindows'
    condition: selection
falsepositives:
    - Legitimate application and websites that use windows paths in their URL
level: high

title: Webshell Detection With Command Line Keywords
id: bed2a484-9348-4143-8a8a-b801c979301c
status: test
description: Detects certain command line parameters often used during reconnaissance activity via web shells
references:
    - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
    - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
date: 2017-01-01
modified: 2024-12-14
tags:
    - attack.persistence
    - attack.discovery
    - attack.t1505.003
    - attack.t1018
    - attack.t1033
    - attack.t1087
logsource:
    category: process_creation
    product: windows
detection:
    selection_webserver_image:
        ParentImage|endswith:
            - '\w3wp.exe'
            - '\php-cgi.exe'
            - '\nginx.exe'
            - '\httpd.exe'
            - '\caddy.exe'
            - '\ws_tomcatservice.exe'
    selection_webserver_characteristics_tomcat1:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentImage|contains:
            - '-tomcat-'
            - '\tomcat'
    selection_webserver_characteristics_tomcat2:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        CommandLine|contains:
            - 'catalina.jar'
            - 'CATALINA_HOME'
    selection_susp_net_utility:
        OriginalFileName:
            - 'net.exe'
            - 'net1.exe'
        CommandLine|contains:
            - ' user '
            - ' use '
            - ' group '
    selection_susp_ping_utility:
        OriginalFileName: 'ping.exe'
        CommandLine|contains: ' -n '
    selection_susp_change_dir:
        CommandLine|contains:
            - '&cd&echo'  # china chopper web shell
            - 'cd /d '  # https://www.computerhope.com/cdhlp.htm
    selection_susp_wmic_utility:
        OriginalFileName: 'wmic.exe'
        CommandLine|contains: ' /node:'
    selection_susp_powershell_cli:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - ' -enc '
            - ' -EncodedCommand '
            - ' -w hidden '
            - ' -windowstyle hidden'
            - '.WebClient).Download'
    selection_susp_misc_discovery_binaries:
        - Image|endswith:
              - '\dsquery.exe'
              - '\find.exe'
              - '\findstr.exe'
              - '\ipconfig.exe'
              - '\netstat.exe'
              - '\nslookup.exe'
              - '\pathping.exe'
              - '\quser.exe'
              - '\schtasks.exe'
              - '\systeminfo.exe'
              - '\tasklist.exe'
              - '\tracert.exe'
              - '\ver.exe'
              - '\wevtutil.exe'
              - '\whoami.exe'
        - OriginalFileName:
              - 'dsquery.exe'
              - 'find.exe'
              - 'findstr.exe'
              - 'ipconfig.exe'
              - 'netstat.exe'
              - 'nslookup.exe'
              - 'pathping.exe'
              - 'quser.exe'
              - 'schtasks.exe'
              - 'sysinfo.exe'
              - 'tasklist.exe'
              - 'tracert.exe'
              - 'ver.exe'
              - 'VSSADMIN.EXE'
              - 'wevtutil.exe'
              - 'whoami.exe'
    selection_susp_misc_discovery_commands:
        CommandLine|contains:
            - ' Test-NetConnection '
            - 'dir \'  # remote dir: dir \<redacted IP #3>\C$:\windows\temp\*.exe
    condition: 1 of selection_webserver_* and 1 of selection_susp_*
falsepositives:
    - Unknown
level: high

title: Webshell Hacking Activity Patterns
id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
status: test
description: |
    Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
references:
    - https://youtu.be/7aemGhaE9ds?t=641
author: Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2023-11-09
tags:
    - attack.persistence
    - attack.discovery
    - attack.t1505.003
    - attack.t1018
    - attack.t1033
    - attack.t1087
logsource:
    category: process_creation
    product: windows
detection:
   # Webserver
    selection_webserver_image:
        ParentImage|endswith:
            - '\caddy.exe'
            - '\httpd.exe'
            - '\nginx.exe'
            - '\php-cgi.exe'
            - '\w3wp.exe'
            - '\ws_tomcatservice.exe'
    selection_webserver_characteristics_tomcat1:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentImage|contains:
            - '-tomcat-'
            - '\tomcat'
    selection_webserver_characteristics_tomcat2:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        CommandLine|contains:
            - 'catalina.jar'
            - 'CATALINA_HOME'
    # Suspicious child processes
    selection_child_1:
        # Process dumping
        CommandLine|contains|all:
            - 'rundll32'
            - 'comsvcs'
    selection_child_2:
        # Winrar exfil
        CommandLine|contains|all:
            - ' -hp'
            - ' a '
            - ' -m'
    selection_child_3:
        # User add
        CommandLine|contains|all:
            - 'net'
            - ' user '
            - ' /add'
    selection_child_4:
        CommandLine|contains|all:
            - 'net'
            - ' localgroup '
            - ' administrators '
            - '/add'
    selection_child_5:
        Image|endswith:
            # Credential stealing
            - '\ntdsutil.exe'
            # AD recon
            - '\ldifde.exe'
            - '\adfind.exe'
            # Process dumping
            - '\procdump.exe'
            - '\Nanodump.exe'
            # Destruction / ransom groups
            - '\vssadmin.exe'
            - '\fsutil.exe'
    selection_child_6:
        # SUspicious patterns
        CommandLine|contains:
            - ' -decode '  # Used with certutil
            - ' -NoP '  # Often used in malicious PowerShell commands
            - ' -W Hidden '  # Often used in malicious PowerShell commands
            - ' /decode '  # Used with certutil
            - ' /ticket:'  # Rubeus
            - ' sekurlsa'  # Mimikatz
            - '.dmp full'  # Process dumping method apart from procdump
            - '.downloadfile('  # PowerShell download command
            - '.downloadstring('  # PowerShell download command
            - 'FromBase64String' # PowerShell encoded payload
            - 'process call create' # WMIC process creation
            - 'reg save '  # save registry SAM - syskey extraction
            - 'whoami /priv'
    condition: 1 of selection_webserver_* and 1 of selection_child_*
falsepositives:
    - Unlikely
level: high

title: Webshell ReGeorg Detection Via Web Logs
id: 2ea44a60-cfda-11ea-87d0-0242ac130003
status: test
description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
references:
    - https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
    - https://github.com/sensepost/reGeorg
author: Cian Heasley
date: 2020-08-04
modified: 2023-01-02
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - 'cmd=read'
            - 'connect&target'
            - 'cmd=connect'
            - 'cmd=disconnect'
            - 'cmd=forward'
    filter:
        cs-referer: null
        cs-user-agent: null
        cs-method: POST
    condition: selection and filter
falsepositives:
    - Web applications that use the same URL parameters as ReGeorg
level: high

title: Webshell Tool Reconnaissance Activity
id: f64e5c19-879c-4bae-b471-6d84c8339677
status: test
description: |
    Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
references:
    - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
author: Cian Heasley, Florian Roth (Nextron Systems)
date: 2020-07-22
modified: 2023-11-09
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_webserver_image:
        ParentImage|endswith:
            - '\caddy.exe'
            - '\httpd.exe'
            - '\nginx.exe'
            - '\php-cgi.exe'
            - '\w3wp.exe'
            - '\ws_tomcatservice.exe'
    selection_webserver_characteristics_tomcat1:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentImage|contains:
            - '-tomcat-'
            - '\tomcat'
    selection_webserver_characteristics_tomcat2:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        CommandLine|contains:
            - 'CATALINA_HOME'
            - 'catalina.jar'
    selection_recon:
        CommandLine|contains:
            - 'perl --help'
            - 'perl -h'
            - 'python --help'
            - 'python -h'
            - 'python3 --help'
            - 'python3 -h'
            - 'wget --help'
    condition: 1 of selection_webserver_* and selection_recon
falsepositives:
    - Unknown
level: high

title: Windows Webshell Strings
id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
status: test
description: Detects common commands used in Windows webshells
references:
    - https://bad-jubies.github.io/RCE-NOW-WHAT/
    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-02-19
modified: 2022-11-18
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: webserver
detection:
    selection_method:
        cs-method: 'GET'
    selection_keywords:
        # The "%20" is URL encoded version of the space
        # The "%2B" is URL encoded version of the "+"
        - '=whoami'
        - '=net%20user'
        - '=net+user'
        - '=net%2Buser'
        - '=cmd%20/c%'
        - '=cmd+/c+'
        - '=cmd%2B/c%'
        - '=cmd%20/r%'
        - '=cmd+/r+'
        - '=cmd%2B/r%'
        - '=cmd%20/k%'
        - '=cmd+/k+'
        - '=cmd%2B/k%'
        - '=powershell%'
        - '=powershell+'
        - '=tasklist%'
        - '=tasklist+'
        - '=wmic%'
        - '=wmic+'
        - '=ssh%'
        - '=ssh+'
        - '=python%'
        - '=python+'
        - '=python3%'
        - '=python3+'
        - '=ipconfig'
        - '=wget%'
        - '=wget+'
        - '=curl%'
        - '=curl+'
        - '=certutil'
        - '=copy%20%5C%5C'
        - '=dsquery%'
        - '=dsquery+'
        - '=nltest%'
        - '=nltest+'
    condition: all of selection_*
falsepositives:
    - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
    - User searches in search boxes of the respective website
level: high

title: Cisco Modify Configuration
id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
status: test
description: Modifications to a config that will serve an adversary's impacts or persistence
author: Austin Clark
date: 2019-08-12
modified: 2025-04-28
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.impact
    - attack.t1490
    - attack.t1505
    - attack.t1565.002
    - attack.t1053
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'ip http server'
        - 'ip https server'
        - 'kron policy-list'
        - 'kron occurrence'
        - 'policy-list'
        - 'access-list'
        - 'ip access-group'
        - 'archive maximum'
        - 'ntp server'
    condition: keywords
falsepositives:
    - Legitimate administrators may run these commands
level: medium

title: ETW Logging/Processing Option Disabled On IIS Server
id: a5b40a90-baf5-4bf7-a6f7-373494881d22
status: test
description: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/
author: frack113, Nasreddine Bencherchali
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration|endswith: '@logTargetW3C'
        OldValue|contains: 'ETW'
    filter_main_etw_added:
        NewValue|contains: 'ETW'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate administrator activity
level: medium

title: IIS Native-Code Module Command Line Installation
id: 9465ddf4-f9e4-4ebd-8d98-702df3a93239
status: test
description: Detects suspicious IIS native-code module installations via command line
references:
    - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
    - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
author: Florian Roth (Nextron Systems)
date: 2019-12-11
modified: 2024-03-13
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\appcmd.exe'
        - OriginalFileName: 'appcmd.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'install'
            - 'module'
        CommandLine|contains|windash: '-name:'
    filter_iis_setup:
        ParentImage: 'C:\Windows\System32\inetsrv\iissetup.exe'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Unknown as it may vary from organisation to organisation how admins use to install IIS modules
level: medium

title: MSExchange Transport Agent Installation
id: 83809e84-4475-4b69-bc3e-4aad8568612f
related:
    - id: 83809e84-4475-4b69-bc3e-4aad8568612f
      type: similar
status: test
description: Detects the Installation of a Exchange Transport Agent
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.t1505.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains: 'Install-TransportAgent'
    condition: selection
falsepositives:
    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: medium

title: MSExchange Transport Agent Installation - Builtin
id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
related:
    - id: 83809e84-4475-4b69-bc3e-4aad8568612f
      type: derived
status: test
description: Detects the Installation of a Exchange Transport Agent
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-11-27
tags:
    - attack.persistence
    - attack.t1505.002
logsource:
    product: windows
    service: msexchange-management
detection:
    selection:
        - 'Install-TransportAgent'
    condition: selection
falsepositives:
    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: medium

title: New Module Module Added To IIS Server
id: dd857d3e-0c6e-457b-9b48-e82ae7f86bd7
status: test
description: Detects the addition of a new module to an IIS server.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
author: frack113
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration|contains: '/system.webServer/modules/add'
    filter_main_builtin:
        NewValue:
            - 'AnonymousAuthenticationModule'
            - 'CustomErrorModule'
            - 'DefaultDocumentModule'
            - 'DirectoryListingModule'
            - 'FileCacheModule'
            - 'HttpCacheModule'
            - 'HttpLoggingModule'
            - 'ProtocolSupportModule'
            - 'RequestFilteringModule'
            - 'StaticCompressionModule'
            - 'StaticFileModule'
            - 'TokenCacheModule'
            - 'UriCacheModule'
    filter_main_remove:
        NewValue: ''
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate administrator activity
level: medium

title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
    - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
    - attack.collection
    - attack.discovery
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1547.001
    - attack.t1505.005
    - attack.t1556.002
    - attack.t1685
    - attack.t1574.007
    - attack.t1564.002
    - attack.t1546.008
    - attack.t1546.007
    - attack.t1547.014
    - attack.t1547.010
    - attack.t1547.002
    - attack.t1557
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\secedit.exe'
        - OriginalFileName: 'SeCEdit'
    selection_flags_discovery:
        CommandLine|contains|all:
            - '/export'
            - '/cfg'
    selection_flags_configure:
        CommandLine|contains|all:
            - '/configure'
            - '/db'
    # filter:
    #     SubjectUserName|endswith: '$'  SubjectUserName is from event ID 4719 in the Windows Security log
    condition: selection_img and (1 of selection_flags_*)
falsepositives:
    - Legitimate administrative use
level: medium

title: Potential Webshell Creation On Static Website
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: test
description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
references:
    - PT ESC rule and personal experience
    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md
author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo
date: 2019-10-22
modified: 2023-10-15
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection_wwwroot_path:
        TargetFilename|contains: '\inetpub\wwwroot\'
    selection_wwwroot_ext:
        TargetFilename|contains:
            - '.ashx'
            - '.asp'
            - '.ph'
            - '.soap'
    selection_htdocs_path:
        TargetFilename|contains:
            - '\www\'
            - '\htdocs\'
            - '\html\'
    selection_htdocs_ext:
        TargetFilename|contains: '.ph'
    # selection_tomcat_path:
    #     TargetFilename|contains: '\webapps\ROOT'
    # selection_tomcat_ext:
    #     TargetFilename|contains:
    #         - '.jsp' # .jspx, .jspf
    #         - '.jsv'
    #         - '.jsw'
    filter_main_temp:  # FP when unpacking some executables in $TEMP
        TargetFilename|contains:
            - '\AppData\Local\Temp\'
            - '\Windows\Temp\'
    filter_main_system:
        Image: 'System' # FP when backup/restore from drivers
    filter_main_legitimate:
        TargetFilename|contains: '\xampp'
    condition: (all of selection_wwwroot_* or all of selection_htdocs_*) and not 1 of filter_main_*
falsepositives:
    - Legitimate administrator or developer creating legitimate executable files in a web application folder
level: medium

title: Suspicious File Drop by Exchange
id: 6b269392-9eba-40b5-acb6-55c882b20ba6
related:
    - id: bd1212e5-78da-431e-95fa-c58e3237a8e6
      type: similar
status: test
description: Detects suspicious file type dropped by an Exchange component in IIS
references:
    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
    - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
    - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
author: Florian Roth (Nextron Systems)
date: 2022-10-04
tags:
    - attack.persistence
    - attack.t1190
    - attack.initial-access
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\w3wp.exe'
        CommandLine|contains: 'MSExchange'
    selection_types:
        TargetFilename|endswith:
            - '.aspx'
            - '.asp'
            - '.ashx'
            - '.ps1'
            - '.bat'
            - '.exe'
            - '.dll'
            - '.vbs'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: Suspicious File Write to Webapps Root Directory
id: 89c42960-f244-4dad-9151-ae9b1a3287a2
status: experimental
description: |
    Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
    This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
references:
    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
    - attack.persistence
    - attack.t1505.003
    - attack.initial-access
    - attack.t1190
logsource:
    product: windows
    category: file_event
detection:
    # Add more suspicious processes or paths or extensions as needed
    selection_susp_img:
        Image|endswith:
            - '\dotnet.exe'
            - '\w3wp.exe'
            - '\java.exe'
    selection_servers:
        TargetFilename|contains:
            - '\apache'
            - '\tomcat'
    selection_path:
        TargetFilename|contains: '\webapps\ROOT\'
    selection_susp_extensions:
        TargetFilename|endswith: '.jsp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Suspicious SQL Query
id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
status: test
description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
author: '@juju4'
date: 2022-12-27
references:
    - https://github.com/sqlmapproject/sqlmap
tags:
    - attack.exfiltration
    - attack.initial-access
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1190
    - attack.t1505.001
logsource:
    category: database
    definition: 'Requirements: Must be able to log the SQL queries'
detection:
    keywords:
        - 'drop'
        - 'truncate'
        - 'dump'
        - 'select \*'
    condition: keywords
falsepositives:
    - Inventory and monitoring activity
    - Vulnerability scanners
    - Legitimate applications
level: medium

title: Previously Installed IIS Module Was Removed
id: 9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f
status: test
description: Detects the removal of a previously installed IIS module.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
author: Nasreddine Bencherchali
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration|contains: '/system.webServer/modules/remove'
    condition: selection
falsepositives:
    - Legitimate administrator activity
# Note: Upgrade after an initial baseline
level: low