LoFP / false positives are not expected on iis servers, as the detection is based on the presence of web requests to reserved names, which is not a common page to be accessed by legitimate users. modify the query as needed to reduce false positives or hunt for additional indicators of compromise.

Techniques

• T1071.001
• T1190

Sample rules

HTTP Request to Reserved Name on IIS Server

• source: splunk
• technicques:
  • T1071.001
  • T1190

Description

Detects attempts to exploit a request smuggling technique against IIS that leverages a Windows quirk where requests for reserved Windows device names such as “/con” trigger an early server response before the request body is received. When combined with a Content-Length desynchronization, this behavior can lead to a parsing confusion between frontend and backend.

Detection logic

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/con", "/prn", "/aux", "/nul", "/com1","/com2","/com3","/com4", "/com5","/com6","/com7") by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `http_request_to_reserved_name_on_iis_server_filter`