Unusual Web Config File Access

  1[metadata]
  2creation_date = "2025/07/23"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/04/27"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects unusual access to the web.config file, which contains sensitive credential information such as database
 11connection strings, machineKey validation/decryption keys, and SAML/OAuth token settings. Attackers can use the
 12information extracted to forge malicious __VIEWSTATE requests for persistent RCE on the web server or pivot to the SQL
 13server using exposed connection strings.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.file-*"]
 17language = "kuery"
 18license = "Elastic License v2"
 19name = "Unusual Web Config File Access"
 20references = [
 21    "https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/",
 22]
 23risk_score = 73
 24rule_id = "5841b80f-a1f8-4c00-a966-d2cc4a7a82e4"
 25severity = "high"
 26tags = [
 27    "Domain: Endpoint",
 28    "OS: Windows",
 29    "Use Case: Threat Detection",
 30    "Tactic: Credential Access",
 31    "Data Source: Elastic Defend",
 32    "Resources: Investigation Guide"
 33]
 34timestamp_override = "event.ingested"
 35type = "new_terms"
 36
 37query = '''
 38event.category:file and host.os.type:windows and event.action:open and
 39  file.name:"web.config" and file.path : *VirtualDirectories* and
 40  not process.executable: (
 41        "C:\Program Files\Microsoft Security Client\MsMpEng.exe" or
 42        "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" or
 43        "C:\Windows\System32\MRT.exe" or
 44        "C:\Windows\System32\inetsrv\w3wp.exe"
 45  )
 46'''
 47
 48note = """## Triage and analysis
 49
 50### Investigating Unusual Web Config File Access
 51
 52#### Possible investigation steps
 53
 54- What process opened which "web.config" path, and what secrets could it expose?
 55  - Why: IIS, SharePoint, federation, or shared application configs can expose connection strings, MachineKey validation/decryption keys, and OAuth/SAML settings for ViewState forgery or credential pivots.
 56  - Focus: `file.path`, `process.entity_id`, `process.executable`, `user.id`, and `host.id`.
 57  - Implication: escalate when `file.path` points to SharePoint, federation, shared application, database-connected app, or another high-value IIS root; lower suspicion only when asset inventory or owner confirmation verifies a non-sensitive test path and later endpoint evidence stays inside that exact workflow.
 58
 59- Is the reader a recognized maintenance component or an anomalous binary?
 60  - Focus: `process.executable`, `process.command_line`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `process.parent.executable`.
 61  - Implication: escalate when the reader is unsigned, user-writable, renamed, or launched by a shell, script host, web worker, or remote-admin chain; lower suspicion when signer, path, command line, and parent match one recognized deployment, backup, scan, or web-maintenance component. Identity alone does not clear the read.
 62
 63- Do the account and lineage fit application maintenance on this host?
 64  - Focus: `user.id`, `user.name`, `process.parent.executable`, and `process.Ext.ancestry`.
 65  - Implication: escalate when the account lacks a web-admin, service, deployment, backup, or response role, the service identity is unexpected, or the parent is a shell, script host, web worker, or remote-admin tool; lower suspicion when identity, parent, and ancestry match one recognized workflow.
 66
 67- Did the same process enumerate or stage config secrets beyond one bounded read?
 68  - Focus: same-process file events by `host.id` and `process.entity_id`: `event.action`, `file.path`, and `file.Ext.original.path`; look for sibling "web.config", "applicationHost.config", backup or copied configs, script output, web-shell files, or archives. $investigate_0
 69  - Implication: escalate when the process walks multiple site roots, opens server-wide config, reads backups, or writes collection/web-shell artifacts; lower suspicion when file activity stays inside one expected application path with no copy, archive, or helper-file staging.
 70
 71- Did direct child process activity show extraction, staging, or attempted use of exposed secrets?
 72  - Why: shell or encoded PowerShell chains can collect config contents, extract MachineKey material, or stage a web shell.
 73  - Focus: direct child process events on `host.id` where `process.parent.entity_id` matches `process.entity_id`: `process.executable`, `process.command_line`, and `process.parent.executable`. $investigate_1
 74  - Hint: expand manually from direct children into deeper descendants or the recovered process tree.
 75  - Implication: escalate when children or descendants include "cmd.exe", PowerShell, archive tools, database clients, web-shell writers, or commands referencing MachineKey, validation keys, decryption keys, config copies, or archive staging; absent child events lower immediate-use concern only if the reader, path, and file pattern are already bounded.
 76
 77- If local evidence is suspicious or unresolved, does endpoint telemetry show broader config access or staging by the same user or host?
 78  - Focus: same-`user.id` file events with `file.path` values showing additional config reads, copied configs, script output, web-shell files, or archives. $investigate_2
 79  - Hint: if the user identity is shared or sparse, review same-`host.id` and `user.id` process events: `process.executable`, `process.command_line`, and `process.Ext.ancestry`. $investigate_3
 80  - Implication: expand scope when either view shows additional config reads, collection artifacts, staged scripts, or suspicious administration around the read window; keep the case local only when broader endpoint telemetry shows no additional staging and local evidence fits one exact workflow.
 81
 82- Escalate when path, reader identity, lineage, same-process file behavior, child/descendant behavior, or related alerts indicate unauthorized config access or secret staging; close only when path, process, user/session, lineage, and same-process file evidence bind to one recognized maintenance, deployment, backup, or response workflow and outside confirmation verifies legitimacy telemetry cannot prove; preserve artifacts and escalate when evidence is mixed or incomplete.
 83
 84### False positive analysis
 85
 86- AV/EDR products may open web.config during scans. Confirm trusted-signed AV binary, SYSTEM or service account, and no same-process config copy, archive, or staging.
 87- Deployment, backup, scanning, or IR workflows can open web.config. Confirm `process.executable`, signer, parent, `file.path`, `user.id`, and `host.id` align with one workflow, with no config copy, archive, web-shell, shell descendants, or broader enumeration. Do not close on historical similarity alone.
 88- Build exceptions from `process.executable`, signer, parent, exact `file.path` root, `user.id`, and `host.id`. Avoid exceptions on "web.config" or host alone. For this new-terms rule, keep first-time cases as candidates until confirmed repeats show the same workflow.
 89
 90### Response and remediation
 91
 92- If confirmed benign, reverse temporary containment and document which evidence proved the workflow: reader identity, parent lineage, `file.path`, `user.id`, `host.id`, and same-process file pattern. Create an exception only for the independently confirmed minimum workflow, not for "web.config" broadly.
 93- If suspicious but unconfirmed, preserve the alert details, process tree, same-process file timeline, targeted config path, suspected copies, archives, script output, web-shell files, and case notes before containment. Apply reversible containment first, such as heightened monitoring, temporary account restrictions, or temporary outbound controls; isolate the host only if copied config, web-shell creation, or secret reuse is confirmed and service impact is acceptable.
 94- If confirmed malicious, preserve the reader process instance, parent chain, targeted `file.path`, copied or staged config, script output, web-shell files, archives, and case notes before containment. Then contain the affected host or account based on the unauthorized reader, high-value path, enumeration, staged artifacts, or descendant process evidence, and record those identifiers before terminating processes or deleting files.
 95- Rotate secrets exposed through the targeted `file.path`, including database credentials, MachineKey validation/decryption keys, OAuth/SAML secrets, and shared service-account credentials. Prioritize production, internet-facing, and shared application secrets.
 96- Eradicate only the webshells, scripts, copied configuration files, archives, persistence mechanisms, and altered application files identified during the investigation; restore affected application configuration from known-good state and remediate the initial access or privilege path that allowed the read.
 97"""
 98
 99setup = """## Setup
100
101This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
102
103Setup instructions: https://ela.st/install-elastic-defend
104"""
105
106[rule.investigation_fields]
107field_names = [
108    "@timestamp",
109    "event.action",
110    "host.name",
111    "host.id",
112    "user.name",
113    "user.id",
114    "user.domain",
115    "process.entity_id",
116    "process.executable",
117    "process.command_line",
118    "process.parent.executable",
119    "process.code_signature.subject_name",
120    "process.code_signature.trusted",
121    "file.path",
122]
123
124[transform]
125
126[[transform.investigate]]
127label = "File events for the same process"
128description = ""
129providers = [
130  [
131    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
132    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
133    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
134  ]
135]
136relativeFrom = "now-1h"
137relativeTo = "now"
138
139[[transform.investigate]]
140label = "Direct child process events"
141description = ""
142providers = [
143  [
144    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
145    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
146    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
147  ]
148]
149relativeFrom = "now-1h"
150relativeTo = "now"
151
152[[transform.investigate]]
153label = "File events for the same user"
154description = ""
155providers = [
156  [
157    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
158    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
159  ]
160]
161relativeFrom = "now-48h/h"
162relativeTo = "now"
163
164[[transform.investigate]]
165label = "Process events for the same host and user"
166description = ""
167providers = [
168  [
169    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
170    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
171    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
172  ]
173]
174relativeFrom = "now-48h/h"
175relativeTo = "now"
176
177[[rule.filters]]
178
179[rule.filters.meta]
180negate = true
181[rule.filters.query.wildcard."process.executable"]
182case_insensitive = true
183value = "?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\Web Server Extensions\\\\*\\\\BIN\\\\*"
184
185[rule.new_terms]
186field = "new_terms_fields"
187value = ["process.executable", "user.id"]
188[[rule.new_terms.history_window_start]]
189field = "history_window_start"
190value = "now-7d"
191
192[[rule.threat]]
193framework = "MITRE ATT&CK"
194
195[[rule.threat.technique]]
196id = "T1552"
197name = "Unsecured Credentials"
198reference = "https://attack.mitre.org/techniques/T1552/"
199
200[[rule.threat.technique.subtechnique]]
201id = "T1552.001"
202name = "Credentials In Files"
203reference = "https://attack.mitre.org/techniques/T1552/001/"
204
205[rule.threat.tactic]
206id = "TA0006"
207name = "Credential Access"
208reference = "https://attack.mitre.org/tactics/TA0006/"
209
210[[rule.threat]]
211framework = "MITRE ATT&CK"
212
213[[rule.threat.technique]]
214id = "T1005"
215name = "Data from Local System"
216reference = "https://attack.mitre.org/techniques/T1005/"
217
218[rule.threat.tactic]
219id = "TA0009"
220name = "Collection"
221reference = "https://attack.mitre.org/tactics/TA0009/"