blue-team-tools/rules/windows/process_creation/win_pc_iis_http_logging.yml

title: Disable Windows IIS HTTP Logging
id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e
status: experimental
description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
author: frack113
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging
date: 2022/01/09
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: \appcmd.exe
        CommandLine|contains|all: 
            - set 
            - config 
            - '/section:httplogging'
            - '/dontLog:true'
    condition: selection
falsepositives:
    - Unknown
level: high
tags:
    - attack.defense_evasion
    - attack.t1562.002