Microsoft IIS Connection Strings Decryption
Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server
11access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account
12password using aspnet_regiis command.
13"""
14from = "now-9m"
15index = [
16 "winlogbeat-*",
17 "logs-endpoint.events.process-*",
18 "logs-windows.*",
19 "endgame-*",
20 "logs-system.security*",
21]
22language = "eql"
23license = "Elastic License v2"
24max_signals = 33
25name = "Microsoft IIS Connection Strings Decryption"
26references = [
27 "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
28 "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia",
29]
30risk_score = 73
31rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec"
32setup = """## Setup
33
34If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
35events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
36Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
37`event.ingested` to @timestamp.
38For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
39"""
40severity = "high"
41tags = [
42 "Domain: Endpoint",
43 "OS: Windows",
44 "Use Case: Threat Detection",
45 "Tactic: Credential Access",
46 "Data Source: Elastic Endgame",
47 "Data Source: Elastic Defend",
48]
49timestamp_override = "event.ingested"
50type = "eql"
51
52query = '''
53process where host.os.type == "windows" and event.type == "start" and
54 (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and
55 process.args : "connectionStrings" and process.args : "-pdf"
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1003"
63name = "OS Credential Dumping"
64reference = "https://attack.mitre.org/techniques/T1003/"
65
66
67[rule.threat.tactic]
68id = "TA0006"
69name = "Credential Access"
70reference = "https://attack.mitre.org/tactics/TA0006/"
References
Related rules
- Command Shell Activity Started via RunDLL32
- Credential Acquisition via Registry Hive Dumping
- Full User-Mode Dumps Enabled System-Wide
- Microsoft IIS Service Account Password Dumped
- Modification of WDigest Security Provider