Microsoft IIS Connection Strings Decryption
Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server
11access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account
12password using aspnet_regiis command.
13"""
14from = "now-9m"
15index = [
16 "winlogbeat-*",
17 "logs-endpoint.events.process-*",
18 "logs-windows.*",
19 "endgame-*",
20 "logs-system.security*",
21]
22language = "eql"
23license = "Elastic License v2"
24max_signals = 33
25name = "Microsoft IIS Connection Strings Decryption"
26references = [
27 "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/",
28 "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia",
29]
30risk_score = 73
31rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec"
32setup = """## Setup
33
34If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
35events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
36Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
37`event.ingested` to @timestamp.
38For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
39"""
40severity = "high"
41tags = [
42 "Domain: Endpoint",
43 "OS: Windows",
44 "Use Case: Threat Detection",
45 "Tactic: Credential Access",
46 "Data Source: Elastic Endgame",
47 "Data Source: Elastic Defend",
48]
49timestamp_override = "event.ingested"
50type = "eql"
51
52query = '''
53process where host.os.type == "windows" and event.type == "start" and
54 (process.name : "aspnet_regiis.exe" or ?process.pe.original_file_name == "aspnet_regiis.exe") and
55 process.args : "connectionStrings" and process.args : "-pdf"
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1003"
63name = "OS Credential Dumping"
64reference = "https://attack.mitre.org/techniques/T1003/"
65
66
67[rule.threat.tactic]
68id = "TA0006"
69name = "Credential Access"
70reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
In this blog I’ll cover how to use native IIS tools to recover encrypted database passwords from web.config files and leverage them to break into the internal network from the DMZ.
Read More -
Greenbug is using off-the-shelf and living-off-the-land tools in an information-gathering campaign targeting multiple telecoms organizations.
Read More
Related rules
- Command Shell Activity Started via RunDLL32
- Credential Acquisition via Registry Hive Dumping
- Full User-Mode Dumps Enabled System-Wide
- Microsoft IIS Service Account Password Dumped
- Modification of WDigest Security Provider