Microsoft IIS Service Account Password Dumped
Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker
13with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
17language = "eql"
18license = "Elastic License v2"
19max_signals = 33
20name = "Microsoft IIS Service Account Password Dumped"
21references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"]
22risk_score = 73
23rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343"
24setup = """## Setup
25
26If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
27events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
28Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
29`event.ingested` to @timestamp.
30For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
31"""
32severity = "high"
33tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38process where host.os.type == "windows" and event.type == "start" and
39 (process.name : "appcmd.exe" or ?process.pe.original_file_name == "appcmd.exe") and
40 process.args : "/list" and process.args : "/text*password"
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1003"
48name = "OS Credential Dumping"
49reference = "https://attack.mitre.org/techniques/T1003/"
50
51
52[rule.threat.tactic]
53id = "TA0006"
54name = "Credential Access"
55reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
In this blog I’ll cover how to use native IIS tools to recover encrypted database passwords from web.config files and leverage them to break into the internal network from the DMZ.
Read More
Related rules
- Command Shell Activity Started via RunDLL32
- Creation or Modification of Domain Backup DPAPI private key
- Credential Acquisition via Registry Hive Dumping
- Full User-Mode Dumps Enabled System-Wide
- LSASS Memory Dump Creation