Extract Credentials From IIS Application Pool Configuration Files
Detects the execution of appcmd.exe that is used to extract credentials from configuration files. IIS application pools can run as different users for security and isolation purposes. When a user is specified for the application pool, their credentials are stored in plaintext in the configuration file.
Sigma rule (View on GitHub)
1title: Extract Credentials From IIS Application Pool Configuration Files
2description: Detects the execution of appcmd.exe that is used to extract credentials from configuration files. IIS application pools can run as different users for security and isolation purposes. When a user is specified for the application pool, their credentials are stored in plaintext in the configuration file.
3status: experimental
4date: 2023/09/04
5author: \@kostastsale
6references:
7 - https://github.com/mpgn/CrackMapExec/pull/62
8logsource:
9 category: process_creation
10 product: windows
11detection:
12 selection1:
13 Image|endswith:
14 - '\appcmd.exe'
15 ParentImage|endswith:
16 - '\powershell.exe'
17 - '\cmd.exe'
18 CommandLine|contains|all:
19 - ' list '
20 - ' apppool '
21 - '/@t*:'
22 condition: selection1
23falsepositives:
24 - Unlikely
25level: high
26tags:
27 - attack.CredentialAccess
28 - attack.T1552.001