Techniques
Sample rules
Suspicious IIS URL GlobalRules Rewrite Via AppCmd
- source: sigma
- technicques:
Description
Detects usage of “appcmd” to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- set
- config
- section:system.webServer/rewrite/globalRules
- 'commit:'
selection_img:
- Image|endswith: \appcmd.exe
- OriginalFileName: appcmd.exe