Extract Credentials From IIS Application Pool Configuration Files

Aug 10, 2024 · attack.CredentialAccess attack.T1552.001 ·

Detects the execution of appcmd.exe that is used to extract credentials from configuration files. IIS application pools can run as different users for security and isolation purposes. When a user is specified for the application pool, their credentials are stored in plaintext in the configuration file.

Sigma rule (View on GitHub)

 1title: Extract Credentials From IIS Application Pool Configuration Files
 2id: cf6cd798-1933-4eb1-9ab7-2c9acc237104
 3description: Detects the execution of appcmd.exe that is used to extract credentials from configuration files. IIS application pools can run as different users for security and isolation purposes. When a user is specified for the application pool, their credentials are stored in plaintext in the configuration file.
 4status: experimental
 5date: 2023/09/04
 6author: \@kostastsale
 7references:
 8    - https://github.com/mpgn/CrackMapExec/pull/62
 9logsource:
10    category: process_creation
11    product: windows
12detection:
13    selection1:
14        Image|endswith:
15            - '\appcmd.exe'
16        ParentImage|endswith:
17            - '\powershell.exe'
18            - '\cmd.exe'
19        CommandLine|contains|all:
20            - ' list '
21            - ' apppool '
22            - '/@t*:'
23    condition: selection1
24falsepositives:
25    - Unlikely
26level: high
27tags:
28    - attack.CredentialAccess
29    - attack.T1552.001

References

https://github.com/mpgn/CrackMapExec/pull/62

Read More