ASPXSpy detection. It might be used by other fraudsters

Hunt Hypothesis

The hypothesis is that the detection of ASPXSpy indicates potential adversary use of a known malicious framework, which could be leveraged by other threat actors for similar malicious purposes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise or data exfiltration activities early.

YARA Rule

rule IronTiger_ASPXSpy
{
    
    meta:
        author = "Cyber Safety Solutions, Trend Micro"
        description = "ASPXSpy detection. It might be used by other fraudsters"
        reference = "http://goo.gl/T5fSJC"
   
    strings:
        $str1 = "ASPXSpy" nocase wide ascii
        $str2 = "IIS Spy" nocase wide ascii
        $str3 = "protected void DGCoW(object sender,EventArgs e)" nocase wide ascii
    
    condition:
        any of ($str*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• http://goo.gl/T5fSJC
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job execution
  Description: A scheduled job using aspnet_regiis.exe to register ASP.NET configuration.
  Filter/Exclusion: Exclude processes where aspnet_regiis.exe is executed with the -px flag and the command line includes valid configuration paths.

• Scenario: Admin task to update IIS configuration
  Description: An administrator uses aspnet_regiis.exe to update IIS settings via the command line.
  Filter/Exclusion: Exclude processes where the command line includes -px and the path is within the IIS configuration directory (e.g., %windir%\Microsoft.NET\Framework\v4.0.30319\.

• Scenario: Deployment of a legitimate ASP.NET application
  Description: A developer deploys a new ASP.NET application using a deployment tool like Web Deployment Tool (MSDeploy) or Octopus Deploy.
  Filter/Exclusion: Exclude processes where the command line includes msdeploy.exe or Octopus.exe and the deployment path is known to be part of a legitimate CI/CD pipeline.

• Scenario: PowerShell script for IIS management
  Description: A PowerShell script is used to manage IIS configurations, which may invoke aspnet_regiis.exe indirectly.
  Filter/Exclusion: Exclude processes where the parent process is powershell.exe and the script path is known to be part of a legitimate administrative toolset.

• Scenario: Antivirus or endpoint protection tool activity
  Description: A security tool like Microsoft Defender or CrowdStrike may use aspnet_regiis.exe during a scan or remediation process.
  Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., MsMpEng.exe, `Csws.exe