ETW Logging/Processing Option Disabled On IIS Server

Rule Info

Name
ETW Logging/Processing Option Disabled On IIS Server
Author
frack113, Nasreddine Bencherchali
Description
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
Reference
https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
Date
2024-10-06 00:00:00
Modified
None
Id
a5b40a90-baf5-4bf7-a6f7-373494881d22
Tags
attack.defense-evasion attack.t1562.002 attack.t1505.004
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=a5b40a90-baf5-4bf7-a6f7-373494881d22

Rule History

Author
Title
Date
Commit
frack113
Merge PR #4935 from @frack113 - Add new IIS logsource and related rules
2024-10-06
c70fff4b8
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022