Microsoft IIS Connection Strings Decryption

  1[metadata]
  2creation_date = "2020/08/18"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/04/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server
 11access via a webshell or similar access can decrypt and dump any hardcoded connection strings, such as the MSSQL service
 12account password using the aspnet_regiis command.
 13"""
 14from = "now-9m"
 15index = [
 16    "endgame-*",
 17    "logs-crowdstrike.fdr*",
 18    "logs-endpoint.events.process-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-system.security*",
 22    "logs-windows.forwarded*",
 23    "logs-windows.sysmon_operational-*",
 24    "winlogbeat-*",
 25]
 26language = "eql"
 27license = "Elastic License v2"
 28max_signals = 33
 29name = "Microsoft IIS Connection Strings Decryption"
 30references = [
 31    "https://www.netspi.com/blog/technical-blog/network-pentesting/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
 32    "https://symantec-enterprise-blogs.security.com/blog-post/greenbug-espionage-telco-south-asia",
 33]
 34risk_score = 73
 35rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec"
 36severity = "high"
 37tags = [
 38    "Domain: Endpoint",
 39    "OS: Windows",
 40    "Use Case: Threat Detection",
 41    "Tactic: Credential Access",
 42    "Data Source: Elastic Endgame",
 43    "Data Source: Elastic Defend",
 44    "Data Source: Windows Security Event Logs",
 45    "Data Source: Microsoft Defender XDR",
 46    "Data Source: Sysmon",
 47    "Data Source: SentinelOne",
 48    "Data Source: Crowdstrike",
 49    "Resources: Investigation Guide",
 50]
 51timestamp_override = "event.ingested"
 52type = "eql"
 53
 54query = '''
 55process where host.os.type == "windows" and event.type == "start" and
 56  (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and
 57  process.args : "connectionStrings" and process.args : ("-pdf", "-pd")
 58'''
 59
 60note = """## Triage and analysis
 61
 62### Investigating Microsoft IIS Connection Strings Decryption
 63
 64#### Possible investigation steps
 65
 66- Which protected IIS configuration section and application path did the command expose?
 67  - Focus: `process.command_line` and `process.working_directory` for the protected-section decrypt operation ("connectionStrings" with "-pdf" or "-pd") and the target application path.
 68  - Implication: escalate faster when the target is a production web root, shared IIS configuration path, copied temp tree, or folder unrelated to the named IIS site; lower concern at this step only for a staging or development target path. Path context alone never closes the alert.
 69
 70- Is the aspnet_regiis instance the expected signed .NET utility in the expected launch context?
 71  - Focus: `process.executable`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `process.parent.command_line`.
 72  - Implication: escalate when the binary is renamed, unsigned, user-writable, or launched from a shell, script host, IIS worker lineage, or remote-admin chain that does not fit the workflow. Expected Microsoft identity reduces masquerade concern, but never clears the decrypt action by itself.
 73
 74- Do the user, parent chain, and session type fit IIS administration on this host?
 75  - Focus: `user.id`, `process.parent.command_line`, and `process.Ext.session_info.logon_type`.
 76  - Hint: If parent lineage remains unclear, expand ancestry before accepting an IIS administration explanation.
 77  - Implication: escalate when an unusual user, web-content lineage, remote-interactive session, service context, or unusual admin context performs the decrypt; lower concern when the same user/host pair and parent workflow recur for IIS administration on this server.
 78
 79- Did follow-on process activity expose, stage, or reuse the recovered secrets?
 80  - Focus: child and same-parent process starts, reading `process.executable` and `process.command_line` for shells, PowerShell, archive utilities, SQL clients, config copies, or output commands. $investigate_2
 81  - Hint: use sibling command lines to look for "aspnet_regiis -pdf appSettings", "aspnet_regiis -px", or direct IIS config-copy commands; if `process.entity_id` is absent, use the `host.id` + `process.parent.pid` or `process.pid` fallback branches in a tight alert-time window.
 82  - Implication: escalate when decryption is followed by shell output, copied configs, archive creation, SQL tooling such as sqlcmd/osql/isql, PowerShell database testing, or additional protected-section access.
 83
 84- If available, do process-scoped file records corroborate config staging?
 85  - Focus: file activity scoped by `host.id` and `process.entity_id`, or direct children through `process.parent.entity_id`, for config copies, temp staging, and archives. $investigate_3
 86  - Implication: escalate when available records show copied "web.config", "applicationHost.config", or "machine.config" material, temp staging, or archive output. If `process.entity_id` is absent, use `host.id` + `process.pid` in a tight alert window; missing endpoint file telemetry is unresolved, not benign.
 87
 88- If available, do process-scoped network records corroborate SQL access or transfer?
 89  - Focus: network activity scoped by `host.id` and `process.entity_id`, or direct children through `process.parent.entity_id`, for database, proxy, external, or share destinations. $investigate_4
 90  - Implication: escalate when available records show database connectivity, proxy use, external egress, or remote staging after the decrypt. If `process.entity_id` is absent, use `host.id` + `process.pid` in a tight alert window. Missing network telemetry is unresolved, not benign.
 91
 92- If local findings remain suspicious or incomplete, do related alerts show broader credential-access activity?
 93  - Focus: related alerts for `user.id`, especially webshell execution, privilege escalation, lateral movement, SQL testing, archive/exfiltration, or repeated credential access. $investigate_0
 94  - Hint: compare `host.id` alerts for webshell, staging, exfiltration, persistence, or repeated aspnet_regiis activity on the IIS asset. $investigate_1
 95  - Implication: broaden response when either scope shows complementary webshell, staging, SQL access, or credential-access activity. No related alerts only limits scope; it does not close the decrypt activity.
 96
 97- Based on the evidence gathered, what disposition is supported?
 98  - Focus: `process.command_line`, `process.executable`, `process.code_signature.subject_name`, `process.parent.command_line`, `process.Ext.session_info.logon_type`, optional file/network corroboration, and related-alert scope.
 99  - Implication: escalate when those categories show unrecognized decryption, config staging, SQL testing, or secret reuse; close only when telemetry from the same categories aligns with one exact IIS maintenance, deployment, migration, or recovery workflow, using outside confirmation only to corroborate that exact activity; preserve and escalate if evidence is mixed or incomplete.
100
101### False positive analysis
102
103- Recognized IIS maintenance, deployment, or migration can legitimately run aspnet_regiis against connection strings. Confirm only when telemetry shows the utility path and signer, parent workflow, command target, `user.id`, `host.id`, and follow-on process activity all align with the same change.
104- IR/recovery can also be legitimate when responders decrypt a known application path to restore service or rotate secrets. Confirm that config copies, SQL testing, transfer evidence, and credential rotation stay inside the recovery scope; if external records are unavailable, close only when this alert's telemetry is complete and non-contradictory.
105- Build exceptions from the minimum confirmed workflow: `process.executable`, `process.code_signature.subject_name`, parent workflow, exact target path, `user.id`, and `host.id`. Avoid exceptions on aspnet_regiis alone, "connectionStrings" alone, or host alone.
106
107### Response and remediation
108
109- If confirmed benign, document the recognized utility path, target path, operator, session type, parent lineage, and follow-on activity before reversing temporary containment. Create an exception only if that same pattern recurs across prior alerts from this rule.
110- If suspicious but unconfirmed, preserve the recovered `process.entity_id`, `process.command_line`, target application path, child-process lineage, copied config material, archive names, and any confirmed destinations before destructive changes. Apply reversible containment first, such as temporarily restricting outbound connectivity or share access for the affected `host.id`; escalate to host isolation or account action only if follow-on commands, copied configs, or related alerts show broader compromise and the IIS host can tolerate it.
111- If confirmed malicious, preserve the same artifacts, then use endpoint response to isolate the host or terminate the responsible process. If direct response is unavailable, escalate with the preserved artifact set to the team that can act.
112- Rotate the credentials exposed by the targeted connection strings, including database passwords, service-account secrets, and any downstream application credentials discovered during the investigation. Prioritize credentials tied to production databases or shared service accounts.
113- Before deleting or restoring anything, review related `host.id` and `user.id` activity for the same aspnet_regiis arguments, targeted config paths, copied config filenames, database destinations, and adjacent protected-section abuse such as "aspnet_regiis -pdf appSettings" or "aspnet_regiis -px". Then eradicate the webshells, scripts, copied configuration files, archives, and persistence mechanisms uncovered during the investigation, and remediate the initial access or privilege path that allowed the decrypt action.
114- After containment, scope other hosts for the same aspnet_regiis arguments, targeted config paths, follow-on database or archive activity, and adjacent protected-section abuse ("aspnet_regiis -pdf appSettings", "aspnet_regiis -px", or direct IIS config copies).
115- Post-incident hardening: restrict aspnet_regiis use against production IIS paths to recognized administration workflows and document the recognized target-path and destination patterns that justified any exception.
116"""
117
118setup = """## Setup
119
120This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
121
122Setup instructions: https://ela.st/install-elastic-defend
123
124### Additional data sources
125
126This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
127
128- [CrowdStrike](https://ela.st/crowdstrike-integration)
129- [Microsoft Defender XDR](https://ela.st/m365-defender)
130- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
131- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
132- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
133"""
134
135[rule.investigation_fields]
136field_names = [
137    "@timestamp",
138    "host.id",
139    "user.name",
140    "user.id",
141    "process.entity_id",
142    "process.pid",
143    "process.executable",
144    "process.command_line",
145    "process.working_directory",
146    "process.pe.original_file_name",
147    "process.parent.entity_id",
148    "process.parent.executable",
149    "process.parent.command_line",
150    "process.code_signature.subject_name",
151    "process.Ext.session_info.logon_type",
152]
153
154[[transform.investigate]]
155label = "Alerts associated with the user"
156description = ""
157providers = [
158  [
159    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
160    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
161  ]
162]
163relativeFrom = "now-48h/h"
164relativeTo = "now"
165
166[[transform.investigate]]
167label = "Alerts associated with the host"
168description = ""
169providers = [
170  [
171    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
172    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
173  ]
174]
175relativeFrom = "now-48h/h"
176relativeTo = "now"
177
178[[transform.investigate]]
179label = "Child and sibling processes near aspnet_regiis"
180description = ""
181providers = [
182  [
183    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
184    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
185    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
186  ],
187  [
188    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
189    { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" },
190    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
191  ],
192  [
193    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
194    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" },
195    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
196  ],
197  [
198    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
199    { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.parent.pid}}", valueType = "string" },
200    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
201  ]
202]
203relativeFrom = "now-1h"
204relativeTo = "now"
205
206[[transform.investigate]]
207label = "File activity for aspnet_regiis and children"
208description = ""
209providers = [
210  [
211    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
212    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
213    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
214  ],
215  [
216    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
217    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
218    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
219  ]
220]
221relativeFrom = "now-1h"
222relativeTo = "now"
223
224[[transform.investigate]]
225label = "Network activity for aspnet_regiis and children"
226description = ""
227providers = [
228  [
229    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
230    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
231    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
232  ],
233  [
234    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
235    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
236    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
237  ]
238]
239relativeFrom = "now-1h"
240relativeTo = "now"
241
242[[rule.threat]]
243framework = "MITRE ATT&CK"
244
245[[rule.threat.technique]]
246id = "T1003"
247name = "OS Credential Dumping"
248reference = "https://attack.mitre.org/techniques/T1003/"
249
250[[rule.threat.technique]]
251id = "T1552"
252name = "Unsecured Credentials"
253reference = "https://attack.mitre.org/techniques/T1552/"
254
255[[rule.threat.technique.subtechnique]]
256id = "T1552.001"
257name = "Credentials In Files"
258reference = "https://attack.mitre.org/techniques/T1552/001/"
259
260[rule.threat.tactic]
261id = "TA0006"
262name = "Credential Access"
263reference = "https://attack.mitre.org/tactics/TA0006/"