valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
104ee6c33b
SigmaHQ/rules/windows/builtin/win_susp_iss_module_install.yml

35 lines
1008 B
YAML
Raw Blame History

---
action: global
title: IIS Native-Code Module Command Line Installation
description: Detects suspicious IIS native-code module installations via command line
status: experimental
references:
- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
author: Florian Roth
tags:
- attack.persistence
- attack.t1100
detection:
selection:
CommandLine:
- '*\APPCMD.EXE install module /name:*'
condition: selection
falsepositives:
- Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
Reference in New Issue View Git Blame Copy Permalink