EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Suspicious IIS URL GlobalRules Rewrite Via AppCmd

Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.

Detection Query

selection_img:
  - Image|endswith: \appcmd.exe
  - OriginalFileName: appcmd.exe
selection_cli:
  CommandLine|contains|all:
    - set
    - config
    - section:system.webServer/rewrite/globalRules
    - "commit:"
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-01-22

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasion
Raw Content
title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd
id: 7c8af9b2-dcae-41a2-a9db-b28c288b5f08
status: test
description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
references:
    - https://twitter.com/malmoeb/status/1616702107242971144
    - https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
tags:
    - attack.defense-evasion
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\appcmd.exe'
        - OriginalFileName: 'appcmd.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'set'
            - 'config'
            - 'section:system.webServer/rewrite/globalRules'
            - 'commit:'
    condition: all of selection_*
falsepositives:
    - Legitimate usage of appcmd to add new URL rewrite rules
level: medium