Suspicious IIS URL GlobalRules Rewrite Via AppCmd

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\appcmd.exe'
OriginalFileName: appcmd.exe

Stage 2: `all of selection_cli`

CommandLine|contains: 'commit:'
CommandLine|contains: config
CommandLine|contains: 'section:system.webServer/rewrite/globalRules'
CommandLine|contains: set

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`commit:` `config` corpus 8 (sigma 8) `section:system.webServer/rewrite/globalRules` `set` corpus 7 (sigma 7)
`Image`	ends_with	`\appcmd.exe` corpus 4 (sigma 4)
`OriginalFileName`	eq	`appcmd.exe` corpus 4 (sigma 4)