T1505.004 - IIS Components & T1562.002 - Disable HTTP logging (#2266)
This commit is contained in:
Michael Haag
@@ -0,0 +1,69 @@
|
||||
attack_technique: T1505.004
|
||||
display_name: IIS Components
|
||||
atomic_tests:
|
||||
- name: Install IIS Module using AppCmd.exe
|
||||
description: |
|
||||
The following Atomic will utilize AppCmd.exe to install a new IIS Module. IIS must be installed.
|
||||
This atomic utilizes a DLL on disk, but to test further suspiciousness, compile and load [IIS-Raid](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/).
|
||||
A successful execution will install a module into IIS using AppCmd.exe.
|
||||
[Managing and installing Modules Reference](https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview#to-install-a-module-using-appcmdexe)
|
||||
[IIS Modules](https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/)
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
module_name:
|
||||
description: The name of the IIS module
|
||||
type: String
|
||||
default: DefaultDocumentModule_Atomic
|
||||
dll_path:
|
||||
description: The path to the DLL to be loaded
|
||||
type: path
|
||||
default: '%windir%\system32\inetsrv\defdoc.dll'
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
IIS must be installed in order to add a module to IIS.
|
||||
prereq_command: |
|
||||
$service = get-service w3svc -ErrorAction SilentlyContinue
|
||||
if($service){ Write-Host "IIS installed on $env:computername" } else { Write-Host "IIS is not installed on $env:computername" }
|
||||
get_prereq_command: |
|
||||
Install IIS to continue.
|
||||
executor:
|
||||
command: |
|
||||
%windir%\system32\inetsrv\appcmd.exe install module /name:#{module_name} /image:#{dll_path}
|
||||
cleanup_command: |
|
||||
%windir%\system32\inetsrv\appcmd.exe uninstall module #{module_name}
|
||||
name: command_prompt
|
||||
- name: Install IIS Module using PowerShell Cmdlet New-WebGlobalModule
|
||||
description: |
|
||||
The following Atomic will utilize PowerShell Cmdlet New-WebGlobalModule to install a new IIS Module. IIS must be installed.
|
||||
This atomic utilizes a DLL on disk, but to test further suspiciousness, compile and load [IIS-Raid](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/).
|
||||
A successful execution will install a module into IIS using New-WebGlobalModule.
|
||||
[Managing IIS Modules with PowerShell](https://learn.microsoft.com/en-us/powershell/module/webadministration/set-webglobalmodule?view=windowsserver2022-ps)
|
||||
[IIS Modules](https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/)
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
module_name:
|
||||
description: The name of the IIS module
|
||||
type: String
|
||||
default: DefaultDocumentModule_Atomic
|
||||
dll_path:
|
||||
description: The path to the DLL to be loaded
|
||||
type: path
|
||||
default: '%windir%\system32\inetsrv\defdoc.dll'
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
IIS must be installed in order to add a module to IIS.
|
||||
prereq_command: |
|
||||
$service = get-service w3svc -ErrorAction SilentlyContinue
|
||||
if($service){ Write-Host "IIS installed on $env:computername" } else { Write-Host "IIS is not installed on $env:computername" }
|
||||
get_prereq_command: |
|
||||
Install IIS to continue.
|
||||
executor:
|
||||
command: |
|
||||
New-WebGlobalModule -Name #{module_name} -Image #{dll_path}
|
||||
cleanup_command: |
|
||||
Remove-WebGlobalModule -Name #{module_name}
|
||||
name: powershell
|
||||
@@ -23,6 +23,27 @@ atomic_tests:
|
||||
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
|
||||
}
|
||||
name: powershell
|
||||
- name: Disable Windows IIS HTTP Logging via PowerShell
|
||||
description: |
|
||||
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
|
||||
This action requires HTTP logging configurations in IIS to be unlocked.
|
||||
|
||||
Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
website_name:
|
||||
description: The name of the website on a server
|
||||
type: String
|
||||
default: Default Web Site
|
||||
executor:
|
||||
command: |
|
||||
set-WebConfigurationProperty -PSPath "IIS:\Sites\#{website_name}\" -filter "system.webServer/httpLogging" -name dontLog -value $true
|
||||
cleanup_command: |
|
||||
if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
|
||||
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
|
||||
}
|
||||
name: powershell
|
||||
- name: Kill Event Log Service Threads
|
||||
auto_generated_guid: 41ac52ba-5d5e-40c0-b267-573ed90489bd
|
||||
description: 'Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will need to restart PC to return to normal state with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html'
|
||||
|
||||
Reference in New Issue
Block a user