Extract Credentials From IIS Application Pool Configuration Files

Sep 13, 2023 · attack.CredentialAccess attack.T1552.001 ·

Detects the execution of appcmd.exe that is used to extract credentials from configuration files. IIS application pools can run as different users for security and isolation purposes. When a user is specified for the application pool, their credentials are stored in plaintext in the configuration file.

Sigma rule (View on GitHub)

 1title: Extract Credentials From IIS Application Pool Configuration Files
 2description: Detects the execution of appcmd.exe that is used to extract credentials from configuration files. IIS application pools can run as different users for security and isolation purposes. When a user is specified for the application pool, their credentials are stored in plaintext in the configuration file.
 3status: experimental
 4date: 2023/09/04
 5author: \@kostastsale
 6references:
 7    - https://github.com/mpgn/CrackMapExec/pull/62
 8logsource:
 9    category: process_creation
10    product: windows
11detection:
12    selection1:
13        Image|endswith:
14            - '\appcmd.exe'
15        ParentImage|endswith:
16            - '\powershell.exe'
17            - '\cmd.exe'
18        CommandLine|contains|all:
19            - ' list '
20            - ' apppool '
21            - '/@t*:'
22    condition: selection1
23falsepositives:
24    - Unlikely
25level: high
26tags:
27    - attack.CredentialAccess
28    - attack.T1552.001

References

https://github.com/mpgn/CrackMapExec/pull/62

Read More