IIS HTTP Logging Disabled via PowerShell

Rule Info

Name
IIS HTTP Logging Disabled via PowerShell
Author
Swachhhanda Shrawan Poudel (Nextron Systems)
Description
Detects attempts to disable HTTP logging in Microsoft Internet Information Services (IIS) using PowerShell commands, which may indicate adversaries attempting to evade detection by disabling logging mechanisms. This technique can impair security monitoring and incident response capabilities by eliminating valuable log data.
Reference
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
Date
2025-05-06 00:00:00
Modified
None
Id
f92ca918-580f-4997-bab8-75efe326b59b
Tags
attack.defense-evasion attack.t1562.002 attack.persistence attack.t1505.004
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022