Home/Sigma rules
Sigma

Sigma detection rules

5 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

5 shown of 5
high
HTTP Logging Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
status test author frack113 id e8ebd53a-30c2-45bd-81bb-74befba07bdb
view Sigma YAML 
title: HTTP Logging Disabled On IIS Server
id: e8ebd53a-30c2-45bd-81bb-74befba07bdb
status: test
description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
author: frack113
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration: '/system.webServer/httpLogging/@dontLog'
        NewValue: 'true'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Suspicious IIS Module Registration
Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
status test author Florian Roth (Nextron Systems), Microsoft (idea) id 043c4b8b-3a54-4780-9682-081cb6b8185c
view Sigma YAML 
title: Suspicious IIS Module Registration
id: 043c4b8b-3a54-4780-9682-081cb6b8185c
status: test
description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
references:
    - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
author: Florian Roth (Nextron Systems), Microsoft (idea)
date: 2022-08-04
modified: 2023-01-23
tags:
    - attack.persistence
    - attack.t1505.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\w3wp.exe'
    selection_cli_1:
        CommandLine|contains: 'appcmd.exe add module'
    selection_cli_2:
        CommandLine|contains: ' system.enterpriseservices.internal.publish'
        Image|endswith: '\powershell.exe'
    selection_cli_3:
        CommandLine|contains|all:
            - 'gacutil'
            - ' /I'
    condition: selection_parent and 1 of selection_cli_*
falsepositives:
    - Administrative activity
level: high
medium
ETW Logging/Processing Option Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
status test author frack113, Nasreddine Bencherchali id a5b40a90-baf5-4bf7-a6f7-373494881d22
view Sigma YAML 
title: ETW Logging/Processing Option Disabled On IIS Server
id: a5b40a90-baf5-4bf7-a6f7-373494881d22
status: test
description: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/
author: frack113, Nasreddine Bencherchali
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration|endswith: '@logTargetW3C'
        OldValue|contains: 'ETW'
    filter_main_etw_added:
        NewValue|contains: 'ETW'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate administrator activity
level: medium
medium
New Module Module Added To IIS Server
Detects the addition of a new module to an IIS server.
status test author frack113 id dd857d3e-0c6e-457b-9b48-e82ae7f86bd7
view Sigma YAML 
title: New Module Module Added To IIS Server
id: dd857d3e-0c6e-457b-9b48-e82ae7f86bd7
status: test
description: Detects the addition of a new module to an IIS server.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
author: frack113
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration|contains: '/system.webServer/modules/add'
    filter_main_builtin:
        NewValue:
            - 'AnonymousAuthenticationModule'
            - 'CustomErrorModule'
            - 'DefaultDocumentModule'
            - 'DirectoryListingModule'
            - 'FileCacheModule'
            - 'HttpCacheModule'
            - 'HttpLoggingModule'
            - 'ProtocolSupportModule'
            - 'RequestFilteringModule'
            - 'StaticCompressionModule'
            - 'StaticFileModule'
            - 'TokenCacheModule'
            - 'UriCacheModule'
    filter_main_remove:
        NewValue: ''
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate administrator activity
level: medium
low
Previously Installed IIS Module Was Removed
Detects the removal of a previously installed IIS module.
status test author Nasreddine Bencherchali id 9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f
view Sigma YAML 
title: Previously Installed IIS Module Was Removed
id: 9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f
status: test
description: Detects the removal of a previously installed IIS module.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
author: Nasreddine Bencherchali
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration|contains: '/system.webServer/modules/remove'
    condition: selection
falsepositives:
    - Legitimate administrator activity
# Note: Upgrade after an initial baseline
level: low
Showing 1-5 of 5
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin