Microsoft IIS Service Account Password Dumped

calendar Apr 22, 2026 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Credential Access Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Windows Security Event Logs Data Source: Microsoft Defender XDR Data Source: Sysmon Data Source: SentinelOne Data Source: Crowdstrike  ·
Share on: linkedin copy

Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to dump sensitive configuration data such as application pool credentials. An attacker with IIS web server access via a web shell can extract service account passwords by requesting full configuration output or targeting credential-related fields.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/18"
 3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 4maturity = "production"
 5updated_date = "2026/04/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to dump sensitive configuration
11data such as application pool credentials. An attacker with IIS web server access via a web shell can extract service
12account passwords by requesting full configuration output or targeting credential-related fields.
13"""
14from = "now-9m"
15index = [
16    "endgame-*",
17    "logs-crowdstrike.fdr*",
18    "logs-endpoint.events.process-*",
19    "logs-m365_defender.event-*",
20    "logs-sentinel_one_cloud_funnel.*",
21    "logs-system.security*",
22    "logs-windows.forwarded*",
23    "logs-windows.sysmon_operational-*",
24    "winlogbeat-*",
25]
26language = "eql"
27license = "Elastic License v2"
28name = "Microsoft IIS Service Account Password Dumped"
29references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"]
30risk_score = 21
31rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343"
32severity = "low"
33tags = [
34    "Domain: Endpoint",
35    "OS: Windows",
36    "Use Case: Threat Detection",
37    "Tactic: Credential Access",
38    "Data Source: Elastic Endgame",
39    "Data Source: Elastic Defend",
40    "Data Source: Windows Security Event Logs",
41    "Data Source: Microsoft Defender XDR",
42    "Data Source: Sysmon",
43    "Data Source: SentinelOne",
44    "Data Source: Crowdstrike",
45]
46timestamp_override = "event.ingested"
47type = "eql"
48
49query = '''
50process where host.os.type == "windows" and event.type == "start" and
51   (process.name : "appcmd.exe" or ?process.pe.original_file_name == "appcmd.exe") and
52   process.args : "list" and
53   (
54     process.args : ("/text:*password*", "/text:*processModel*", "/text:*userName*", "/config", "*connectionstring*") or
55     process.args == "/text:*"
56   )
57'''
58
59
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62
63[[rule.threat.technique]]
64id = "T1003"
65name = "OS Credential Dumping"
66reference = "https://attack.mitre.org/techniques/T1003/"
67
68[[rule.threat.technique]]
69id = "T1552"
70name = "Unsecured Credentials"
71reference = "https://attack.mitre.org/techniques/T1552/"
72
73[[rule.threat.technique.subtechnique]]
74id = "T1552.001"
75name = "Credentials In Files"
76reference = "https://attack.mitre.org/techniques/T1552/001/"
77
78[rule.threat.tactic]
79id = "TA0006"
80name = "Credential Access"
81reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top