Microsoft IIS Connection Strings Decryption
Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
Sigma rule (View on GitHub)
1title: Microsoft IIS Connection Strings Decryption
2id: 97dbf6e2-e436-44d8-abee-4261b24d3e41
3status: test
4description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
5references:
6 - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html
7author: Tim Rauch, Elastic (idea)
8date: 2022-09-28
9modified: 2022-12-30
10tags:
11 - attack.credential-access
12 - attack.t1003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_name:
18 - Image|endswith: '\aspnet_regiis.exe'
19 - OriginalFileName: 'aspnet_regiis.exe'
20 selection_args:
21 CommandLine|contains|all:
22 - 'connectionStrings'
23 - ' -pdf'
24 condition: all of selection*
25falsepositives:
26 - Unknown
27level: high
References
-
Microsoft IIS Connection Strings Decryption edit Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alik...
Read More
Related rules
- Access To Crypto Currency Wallets By Uncommon Applications
- Capture Credentials with Rpcping.exe
- Credential Manager Access By Uncommon Applications
- Esentutl Gather Credentials
- HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump