Microsoft IIS Connection Strings Decryption
Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2024/11/02"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server
13access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account
14password using aspnet_regiis command.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-windows.forwarded*",
21 "logs-windows.sysmon_operational-*",
22 "endgame-*",
23 "logs-system.security*",
24 "logs-m365_defender.event-*",
25 "logs-sentinel_one_cloud_funnel.*",
26 "logs-crowdstrike.fdr*",
27]
28language = "eql"
29license = "Elastic License v2"
30max_signals = 33
31name = "Microsoft IIS Connection Strings Decryption"
32references = [
33 "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
34 "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia",
35]
36risk_score = 73
37rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec"
38severity = "high"
39tags = [
40 "Domain: Endpoint",
41 "OS: Windows",
42 "Use Case: Threat Detection",
43 "Tactic: Credential Access",
44 "Data Source: Elastic Endgame",
45 "Data Source: Elastic Defend",
46 "Data Source: System",
47 "Data Source: Microsoft Defender for Endpoint",
48 "Data Source: Sysmon",
49 "Data Source: SentinelOne",
50 "Data Source: Crowdstrike",
51]
52timestamp_override = "event.ingested"
53type = "eql"
54
55query = '''
56process where host.os.type == "windows" and event.type == "start" and
57 (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and
58 process.args : "connectionStrings" and process.args : "-pdf"
59'''
60
61
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64[[rule.threat.technique]]
65id = "T1003"
66name = "OS Credential Dumping"
67reference = "https://attack.mitre.org/techniques/T1003/"
68
69
70[rule.threat.tactic]
71id = "TA0006"
72name = "Credential Access"
73reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
In this blog I’ll cover how to use native IIS tools to recover encrypted database passwords from web.config files and leverage them to break into the internal network from the DMZ.
Read More -
Greenbug is using off-the-shelf and living-off-the-land tools in an information-gathering campaign targeting multiple telecoms organizations.
Read More
Related rules
- Credential Acquisition via Registry Hive Dumping
- NTDS or SAM Database File Copied
- Potential Veeam Credential Access Command
- Searching for Saved Credentials via VaultCmd
- Symbolic Link to Shadow Copy Created