Microsoft IIS Service Account Password Dumped

edit

Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 33

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Credential Access

Version: 1

Added (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Rule query

edit
event.category:process AND event.type:(start OR process_started) AND
(process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe
or winlog.event_data.OriginalFileName:appcmd.exe) AND
process.args:(/[lL][iI][sS][tT]/ AND
/\/[tT][eE][xX][tT]\:[pP][aA][sS][sS][wW][oO][rR][dD]/)

Threat mapping

edit

Framework: MITRE ATT&CKTM