Microsoft IIS Connection Strings Decryption
Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server
13access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account
14password using aspnet_regiis command.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-windows.forwarded*",
21 "logs-windows.sysmon_operational-*",
22 "endgame-*",
23 "logs-system.security*",
24 "logs-m365_defender.event-*",
25 "logs-sentinel_one_cloud_funnel.*",
26 "logs-crowdstrike.fdr*",
27]
28language = "eql"
29license = "Elastic License v2"
30max_signals = 33
31name = "Microsoft IIS Connection Strings Decryption"
32references = [
33 "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
34 "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia",
35]
36risk_score = 73
37rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec"
38severity = "high"
39tags = [
40 "Domain: Endpoint",
41 "OS: Windows",
42 "Use Case: Threat Detection",
43 "Tactic: Credential Access",
44 "Data Source: Elastic Endgame",
45 "Data Source: Elastic Defend",
46 "Data Source: System",
47 "Data Source: Microsoft Defender for Endpoint",
48 "Data Source: Sysmon",
49 "Data Source: SentinelOne",
50 "Data Source: Crowdstrike",
51 "Resources: Investigation Guide",
52]
53timestamp_override = "event.ingested"
54type = "eql"
55
56query = '''
57process where host.os.type == "windows" and event.type == "start" and
58 (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and
59 process.args : "connectionStrings" and process.args : "-pdf"
60'''
61note = """## Triage and analysis
62
63> **Disclaimer**:
64> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
65
66### Investigating Microsoft IIS Connection Strings Decryption
67
68Microsoft IIS often stores sensitive connection strings in encrypted form to secure database credentials. The `aspnet_regiis` tool can decrypt these strings, a feature intended for legitimate administrative tasks. However, attackers with access to the IIS server, possibly via a webshell, can exploit this to extract credentials. The detection rule identifies suspicious use of `aspnet_regiis` by monitoring process execution with specific arguments, flagging potential credential access attempts.
69
70### Possible investigation steps
71
72- Review the process execution details to confirm the presence of aspnet_regiis.exe with the specific arguments "connectionStrings" and "-pdf" to ensure the alert is not a false positive.
73- Check the user account associated with the process execution to determine if it is a legitimate administrative account or a potentially compromised one.
74- Investigate the source of the process initiation by examining the parent process and any related processes to identify if a webshell or unauthorized script triggered the execution.
75- Analyze recent login activities and access logs on the IIS server to identify any unusual or unauthorized access patterns that could indicate a compromise.
76- Review the server's security logs and any available network traffic data to detect any signs of data exfiltration or further malicious activity following the decryption attempt.
77- Assess the integrity and security of the IIS server by checking for any unauthorized changes or suspicious files that may have been introduced by an attacker.
78
79### False positive analysis
80
81- Routine administrative tasks using aspnet_regiis for legitimate configuration changes can trigger the rule. To manage this, create exceptions for known maintenance windows or specific administrator accounts performing these tasks.
82- Automated deployment scripts that include aspnet_regiis for setting up or updating IIS configurations may cause false positives. Exclude these scripts by identifying their unique process arguments or execution paths.
83- Scheduled tasks or services that periodically run aspnet_regiis for configuration validation or updates might be flagged. Document these tasks and exclude them based on their scheduled times or associated service accounts.
84- Development environments where developers frequently use aspnet_regiis for testing purposes can generate alerts. Consider excluding specific development servers or user accounts from the rule to reduce noise.
85- Security tools or monitoring solutions that simulate attacks for testing purposes may inadvertently trigger the rule. Coordinate with security teams to whitelist these tools or their specific test scenarios.
86
87### Response and remediation
88
89- Immediately isolate the affected IIS server from the network to prevent further unauthorized access and potential data exfiltration.
90- Terminate any suspicious processes related to aspnet_regiis.exe to halt any ongoing decryption attempts.
91- Conduct a thorough review of IIS server logs and webshell activity to identify the source of the compromise and any other affected systems.
92- Change all credentials associated with the decrypted connection strings, including database passwords and service account credentials, to prevent unauthorized access.
93- Restore the IIS server from a known good backup taken before the compromise, ensuring that any webshells or malicious scripts are removed.
94- Implement enhanced monitoring and alerting for any future unauthorized use of aspnet_regiis.exe, focusing on the specific arguments used in the detection query.
95- Escalate the incident to the security operations center (SOC) or relevant incident response team for further investigation and to assess the broader impact on the organization."""
96
97
98[[rule.threat]]
99framework = "MITRE ATT&CK"
100[[rule.threat.technique]]
101id = "T1003"
102name = "OS Credential Dumping"
103reference = "https://attack.mitre.org/techniques/T1003/"
104
105
106[rule.threat.tactic]
107id = "TA0006"
108name = "Credential Access"
109reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Microsoft IIS Connection Strings Decryption
Microsoft IIS often stores sensitive connection strings in encrypted form to secure database credentials. The aspnet_regiis
tool can decrypt these strings, a feature intended for legitimate administrative tasks. However, attackers with access to the IIS server, possibly via a webshell, can exploit this to extract credentials. The detection rule identifies suspicious use of aspnet_regiis
by monitoring process execution with specific arguments, flagging potential credential access attempts.
Possible investigation steps
- Review the process execution details to confirm the presence of aspnet_regiis.exe with the specific arguments "connectionStrings" and "-pdf" to ensure the alert is not a false positive.
- Check the user account associated with the process execution to determine if it is a legitimate administrative account or a potentially compromised one.
- Investigate the source of the process initiation by examining the parent process and any related processes to identify if a webshell or unauthorized script triggered the execution.
- Analyze recent login activities and access logs on the IIS server to identify any unusual or unauthorized access patterns that could indicate a compromise.
- Review the server's security logs and any available network traffic data to detect any signs of data exfiltration or further malicious activity following the decryption attempt.
- Assess the integrity and security of the IIS server by checking for any unauthorized changes or suspicious files that may have been introduced by an attacker.
False positive analysis
- Routine administrative tasks using aspnet_regiis for legitimate configuration changes can trigger the rule. To manage this, create exceptions for known maintenance windows or specific administrator accounts performing these tasks.
- Automated deployment scripts that include aspnet_regiis for setting up or updating IIS configurations may cause false positives. Exclude these scripts by identifying their unique process arguments or execution paths.
- Scheduled tasks or services that periodically run aspnet_regiis for configuration validation or updates might be flagged. Document these tasks and exclude them based on their scheduled times or associated service accounts.
- Development environments where developers frequently use aspnet_regiis for testing purposes can generate alerts. Consider excluding specific development servers or user accounts from the rule to reduce noise.
- Security tools or monitoring solutions that simulate attacks for testing purposes may inadvertently trigger the rule. Coordinate with security teams to whitelist these tools or their specific test scenarios.
Response and remediation
- Immediately isolate the affected IIS server from the network to prevent further unauthorized access and potential data exfiltration.
- Terminate any suspicious processes related to aspnet_regiis.exe to halt any ongoing decryption attempts.
- Conduct a thorough review of IIS server logs and webshell activity to identify the source of the compromise and any other affected systems.
- Change all credentials associated with the decrypted connection strings, including database passwords and service account credentials, to prevent unauthorized access.
- Restore the IIS server from a known good backup taken before the compromise, ensuring that any webshells or malicious scripts are removed.
- Implement enhanced monitoring and alerting for any future unauthorized use of aspnet_regiis.exe, focusing on the specific arguments used in the detection query.
- Escalate the incident to the security operations center (SOC) or relevant incident response team for further investigation and to assess the broader impact on the organization.
References
Related rules
- NTDS Dump via Wbadmin
- NTDS or SAM Database File Copied
- Potential Local NTLM Relay via HTTP
- Potential Veeam Credential Access Command
- Searching for Saved Credentials via VaultCmd