Microsoft IIS Service Account Password Dumped
Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
Sigma rule (View on GitHub)
1title: Microsoft IIS Service Account Password Dumped
2id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701
3status: test
4description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
5references:
6 - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html
7 - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA
8 - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
9author: Tim Rauch, Janantha Marasinghe, Elastic (original idea)
10date: 2022-11-08
11modified: 2023-01-22
12tags:
13 - attack.credential-access
14 - attack.t1003
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_base_name:
20 - Image|endswith: '\appcmd.exe'
21 - OriginalFileName: 'appcmd.exe'
22 selection_base_list:
23 CommandLine|contains: 'list '
24 selection_standalone:
25 CommandLine|contains:
26 - ' /config' # https://pbs.twimg.com/media/FgydDAJWIAEio34?format=png&name=900x900
27 - ' /xml'
28 # We cover the "-" version just in case :)
29 - ' -config'
30 - ' -xml'
31 selection_cmd_flags:
32 CommandLine|contains:
33 - ' /@t' # Covers both "/@text:*" and "/@t:*"
34 - ' /text'
35 - ' /show'
36 # We cover the "-" version just in case :)
37 - ' -@t'
38 - ' -text'
39 - ' -show'
40 selection_cmd_grep:
41 CommandLine|contains:
42 - ':\*'
43 - 'password'
44 condition: all of selection_base_* and (selection_standalone or all of selection_cmd_*)
45falsepositives:
46 - Unknown
47level: high
References
Related rules
- Access To Crypto Currency Wallets By Uncommon Applications
- Antivirus Password Dumper Detection
- Capture Credentials with Rpcping.exe
- Credential Manager Access By Uncommon Applications
- Esentutl Gather Credentials