Microsoft IIS Connection Strings Decryption
Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server
13access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account
14password using aspnet_regiis command.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20max_signals = 33
21name = "Microsoft IIS Connection Strings Decryption"
22note = """## Setup
23
24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
25"""
26references = [
27 "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
28 "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia",
29]
30risk_score = 73
31rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec"
32severity = "high"
33tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38process where host.os.type == "windows" and event.type == "start" and
39 (process.name : "aspnet_regiis.exe" or process.pe.original_file_name == "aspnet_regiis.exe") and
40 process.args : "connectionStrings" and process.args : "-pdf"
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1003"
48name = "OS Credential Dumping"
49reference = "https://attack.mitre.org/techniques/T1003/"
50
51
52[rule.threat.tactic]
53id = "TA0006"
54name = "Credential Access"
55reference = "https://attack.mitre.org/tactics/TA0006/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.
References
-
From the perspective of a penetration tester, it would be nice if every vulnerability provided a direct path to high-value systems on the internal network. However, the reality is that we aren’t always that lucky, and sometimes we land on an application server in the DMZ network first. In this blog I’ll cover how to use […]
Read More -
Greenbug is using off-the-shelf and living-off-the-land tools in an information-gathering campaign targeting multiple telecoms organizations.
Read More
Related rules
- Command Shell Activity Started via RunDLL32
- Creation or Modification of Domain Backup DPAPI private key
- Credential Acquisition via Registry Hive Dumping
- LSASS Memory Dump Creation
- Microsoft IIS Service Account Password Dumped