From dfd316c0ce2f11b223753c4ab3b8a2b8753b4f37 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Wed, 6 Oct 2021 17:46:15 +0200
Subject: [PATCH] Add web_iis_tilt_shortname_scan.yml

---
 rules/web/web_iis_tilt_shortname_scan.yml | 30 +++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 rules/web/web_iis_tilt_shortname_scan.yml

diff --git a/rules/web/web_iis_tilt_shortname_scan.yml b/rules/web/web_iis_tilt_shortname_scan.yml
new file mode 100644
index 000000000..c97b5ed10
--- /dev/null
+++ b/rules/web/web_iis_tilt_shortname_scan.yml
@@ -0,0 +1,30 @@
+title: Successful IIS Shortname Fuzzing Scan
+id:  7cb02516-6d95-4ffc-8eee-162075e111ac
+status: experimental
+author: frack113
+description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~.
+references:
+    - https://github.com/projectdiscovery/nuclei-templates/blob/master/fuzzing/iis-shortname.yaml
+    - https://www.exploit-db.com/exploits/19525
+    - https://github.com/lijiejie/IIS_shortname_Scanner
+date: 2021/10/06
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: webserver
+detection:
+    selection:
+        c-uri|contains: '~1'
+        c-uri|endswith: 'a.aspx'
+        cs-method:
+            - GET
+            - OPTIONS
+        #only succes
+        sc-status:
+            - 200
+            - 301
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
\ No newline at end of file