Unusual Web Config File Access

 1[metadata]
 2creation_date = "2025/07/23"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2025/08/04"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects unusual access to the web.config file, which contains sensitive credential information such as database
11connection strings, machineKey validation/decryption keys, and SAML/OAuth token settings. Attackers can use the
12information extracted to forge malicious __VIEWSTATE requests for persistent RCE on the web server or pivot to the SQL
13server using exposed connection strings.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.file-*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Unusual Web Config File Access"
20note = """## Triage and analysis
21
22> **Disclaimer**:
23> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
24
25### Investigating Unusual Web Config File Access
26Web.config files are crucial in Windows environments, storing sensitive data like database credentials and encryption keys. Adversaries target these files to extract information for attacks such as forging malicious requests or accessing databases. The detection rule identifies suspicious access patterns by monitoring file access events in specific directories, helping analysts spot potential credential theft or server exploitation attempts.
27
28### Possible investigation steps
29
30- Investigate the user account associated with the access event to verify if the account has legitimate reasons to access the web.config file or if it might be compromised.
31- Analyze recent activity from the same user or IP address to identify any other suspicious behavior or access patterns that could indicate a broader security incident.
32- Review system logs and network traffic around the time of the alert to identify any related anomalies or signs of exploitation attempts, such as unusual database queries or web server requests.
33
34### False positive analysis
35
36- Routine administrative tasks by IT personnel may trigger alerts when accessing web.config files for legitimate configuration updates. To manage this, create exceptions for known administrative accounts or scheduled maintenance windows.
37- Automated backup processes that access web.config files can be mistaken for suspicious activity. Identify and exclude these processes by their specific user accounts or service names.
38- Web application updates or deployments often involve accessing web.config files. Exclude these activities by correlating them with known deployment tools or scripts.
39- Security scanning tools that check web.config files for vulnerabilities might generate false positives. Whitelist these tools by their process names or IP addresses to prevent unnecessary alerts.
40- Monitoring or logging solutions that periodically read web.config files for audit purposes can be excluded by identifying their specific access patterns and excluding them from the rule.
41
42### Response and remediation
43
44- Immediately isolate the affected server to prevent further unauthorized access and potential lateral movement within the network.
45- Conduct a thorough review of the web.config file to identify any unauthorized changes or access patterns, focusing on exposed credentials and keys.
46- Rotate all credentials and keys found within the web.config file, including database connection strings and encryption keys, to mitigate the risk of credential theft.
47- Implement additional monitoring and logging for access to web.config files across all servers to detect future unauthorized access attempts.
48- Escalate the incident to the security operations center (SOC) for further investigation and correlation with other potential indicators of compromise.
49- Review and update firewall rules and access controls to ensure that only authorized users and applications can access sensitive directories containing web.config files.
50- Conduct a post-incident analysis to identify gaps in security controls and enhance detection capabilities for similar threats in the future.
51"""
52references = [
53    "https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/",
54]
55risk_score = 47
56rule_id = "5841b80f-a1f8-4c00-a966-d2cc4a7a82e4"
57severity = "medium"
58tags = [
59    "Domain: Endpoint",
60    "OS: Windows",
61    "Use Case: Threat Detection",
62    "Tactic: Credential Access",
63    "Data Source: Elastic Defend",
64    "Resources: Investigation Guide"
65]
66timestamp_override = "event.ingested"
67type = "new_terms"
68
69query = '''
70event.category:file and host.os.type:windows and event.action:open and
71  file.name:"web.config" and file.path : *VirtualDirectories*
72'''
73
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1003"
79name = "OS Credential Dumping"
80reference = "https://attack.mitre.org/techniques/T1003/"
81
82
83
84[rule.threat.tactic]
85id = "TA0006"
86name = "Credential Access"
87reference = "https://attack.mitre.org/tactics/TA0006/"
88
89[rule.new_terms]
90field = "new_terms_fields"
91value = ["process.executable", "user.id"]
92[[rule.new_terms.history_window_start]]
93field = "history_window_start"
94value = "now-7d"