false positives are not expected on iis servers, as the detection is based on the presence of web requests to reserved names, which is not a common page to be accessed by legitimate users. modify the query as needed to reduce false positives or hunt for additional indicators of compromise.

Techniques

Sample rules

HTTP Request to Reserved Name on IIS Server

source: splunk
technicques:
- T1071.001
- T1190

Description

Detects attempts to exploit a request smuggling technique against IIS that leverages a Windows quirk where requests for reserved Windows device names such as “/con” trigger an early server response before the request body is received. When combined with a Content-Length desynchronization, this behavior can lead to a parsing confusion between frontend and backend.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

FROM datamodel=Web WHERE

Web.url IN (
    "*/aux",
    "*/com1",
    "*/com2",
    "*/com3",
    "*/com4",
    "*/com5",
    "*/com6",
    "*/com7",
    "*/con",
    "*/nul",
    "*/prn"
)

BY Web.src Web.dest Web.http_user_agent
   Web.url Web.url_domain Web.status Web.http_method


| `drop_dm_object_name("Web")`

We have to add the logic below because the TA does not extract the URI path from the URL, and the anchors are short. Hence to avoid false positives, we need to extract the URI path from the URL and check if it is a reserved name.


| eval uri=replace(url, url_domain, "")

| where uri IN (
    "/aux",
    "/com1",
    "/com2",
    "/com3",
    "/com4",
    "/com5",
    "/com6",
    "/com7",
    "/con",
    "/nul",
    "/prn"
)

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `http_request_to_reserved_name_on_iis_server_filter`