| ID | Technique | Tactic |
|---|---|---|
| T1071.001 | Web Protocols | Command And Control |
| T1190 | Exploit Public-Facing Application | Initial Access |
Detection: HTTP Request to Reserved Name on IIS Server
Description
Detects attempts to exploit a request smuggling technique against IIS that leverages a Windows quirk where requests for reserved Windows device names such as "/con" trigger an early server response before the request body is received. When combined with a Content-Length desynchronization, this behavior can lead to a parsing confusion between frontend and backend.
Search
1
2| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/con", "/prn", "/aux", "/nul", "/com1","/com2","/com3","/com4", "/com5","/com6","/com7") by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method
3| `drop_dm_object_name("Web")`
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| `http_request_to_reserved_name_on_iis_server_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Suricata | N/A | 'suricata' |
'suricata' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| http_request_to_reserved_name_on_iis_server_filter | search * |
http_request_to_reserved_name_on_iis_server_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Command and Control
Delivery
DE.CM
CIS 13
APT19
APT28
APT29
APT32
APT33
APT37
APT38
APT39
APT41
APT42
APT5
Agrius
Axiom
BITTER
BRONZE BUTLER
BackdoorDiplomacy
BlackByte
BlackTech
Blue Mockingbird
Chimera
Cinnamon Tempest
Cobalt Group
Confucius
Daggerfly
Dark Caracal
Dragonfly
Earth Lusca
Ember Bear
FIN13
FIN4
FIN7
FIN8
Fox Kitten
GALLIUM
GOLD SOUTHFIELD
Gamaredon Group
HAFNIUM
Higaisa
INC Ransom
Inception
Ke3chang
Kimsuky
Lazarus Group
Leviathan
LuminousMoth
Magic Hound
Medusa Group
Metador
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
OilRig
Orangeworm
Play
Rancor
RedCurl
RedEcho
Rocke
Salt Typhoon
Sandworm Team
Sea Turtle
Sidewinder
SilverTerrier
Stealth Falcon
Storm-0501
TA505
TA551
TeamTNT
Threat Group-3390
ToddyCat
Tropic Trooper
Turla
UNC3886
Volatile Cedar
Volt Typhoon
WIRTE
Windshift
Winter Vivern
Wizard Spider
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
To implement this analytic, ensure proper logging is occurring with IIS, Apache, or a Proxy server and that these logs are being ingested into Splunk. The analytic was written against Suricata. The proper TA will need to be enabled and should be mapped to CIM and the Web datamodel. Ingestion of the data source is required to utilize this detection. In addition, if it is not mapped to the datamodel, modify the query for your application logs to look for requests the same URI and investigate further.
Known False Positives
False positives are not expected on IIS servers, as the detection is based on the presence of web requests to reserved names, which is not a common page to be accessed by legitimate users. Modify the query as needed to reduce false positives or hunt for additional indicators of compromise.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Known scripting tool was used against a web request. The source IP is $src$ and the destination is $dest$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 31 | src |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | suricata |
suricata |
| Integration | ✅ Passing | Dataset | suricata |
suricata |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1