Microsoft IIS Service Account Password Dumped

 1title: Microsoft IIS Service Account Password Dumped
 2id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701
 3status: test
 4description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
 5references:
 6    - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html
 7    - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA
 8    - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
 9author: Tim Rauch, Janantha Marasinghe, Elastic (original idea)
10date: 2022/11/08
11modified: 2023/01/22
12tags:
13    - attack.credential_access
14    - attack.t1003
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_base_name:
20        - Image|endswith: '\appcmd.exe'
21        - OriginalFileName: 'appcmd.exe'
22    selection_base_list:
23        CommandLine|contains: 'list '
24    selection_standalone:
25        CommandLine|contains:
26            - ' /config' # https://pbs.twimg.com/media/FgydDAJWIAEio34?format=png&name=900x900
27            - ' /xml'
28            # We cover the "-" version just in case :)
29            - ' -config'
30            - ' -xml'
31    selection_cmd_flags:
32        CommandLine|contains:
33            - ' /@t' # Covers both "/@text:*" and "/@t:*"
34            - ' /text'
35            - ' /show'
36            # We cover the "-" version just in case :)
37            - ' -@t'
38            - ' -text'
39            - ' -show'
40    selection_cmd_grep:
41        CommandLine|contains:
42            - ':\*'
43            - 'password'
44    condition: all of selection_base_* and (selection_standalone or all of selection_cmd_*)
45falsepositives:
46    - Unknown
47level: high

References

• Microsoft IIS Service Account Password Dumped | Elastic Security Solution [8.13] | Elastic

  

  Microsoft IIS Service Account Password Dumpededit Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access ...

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Decrypting IIS Passwords to Break Out of the DMZ: Part 2

  

  In my last blog I showed how to use native Windows tools to break out of DMZ networks by decrypting database connection strings in IIS web.config files, and using them to pivot through SQL Servers. If you’re interested it can be found at Decrypting IIS Passwords to Break Out of the DMZ: Part 1. In […]

  
  Read More

Related rules

• Microsoft IIS Connection Strings Decryption
• Potential Invoke-Mimikatz PowerShell Script
• Hacktool Execution - PE Metadata
• Access To Browser Credential Files By Uncommon Application
• Credential Manager Access By Uncommon Application