EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Microsoft IIS Service Account Password Dumped

Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords

MITRE ATT&CK

T1003
credential-access

Detection Query

selection_base_name:
  - Image|endswith: \appcmd.exe
  - OriginalFileName: appcmd.exe
selection_base_list:
  CommandLine|contains: "list "
selection_standalone:
  CommandLine|contains:
    - " /config"
    - " /xml"
    - " -config"
    - " -xml"
selection_cmd_flags:
  CommandLine|contains:
    - " /@t"
    - " /text"
    - " /show"
    - " -@t"
    - " -text"
    - " -show"
selection_cmd_grep:
  CommandLine|contains:
    - :\*
    - password
condition: all of selection_base_* and (selection_standalone or all of selection_cmd_*)

Author

Tim Rauch, Janantha Marasinghe, Elastic (original idea)

Created

2022-11-08

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.credential-accessattack.t1003
Raw Content
title: Microsoft IIS Service Account Password Dumped
id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701
status: test
description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
references:
    - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html
    - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA
    - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
author: Tim Rauch, Janantha Marasinghe, Elastic (original idea)
date: 2022-11-08
modified: 2023-01-22
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection_base_name:
        - Image|endswith: '\appcmd.exe'
        - OriginalFileName: 'appcmd.exe'
    selection_base_list:
        CommandLine|contains: 'list '
    selection_standalone:
        CommandLine|contains:
            - ' /config' # https://pbs.twimg.com/media/FgydDAJWIAEio34?format=png&name=900x900
            - ' /xml'
            # We cover the "-" version just in case :)
            - ' -config'
            - ' -xml'
    selection_cmd_flags:
        CommandLine|contains:
            - ' /@t' # Covers both "/@text:*" and "/@t:*"
            - ' /text'
            - ' /show'
            # We cover the "-" version just in case :)
            - ' -@t'
            - ' -text'
            - ' -show'
    selection_cmd_grep:
        CommandLine|contains:
            - ':\*'
            - 'password'
    condition: all of selection_base_* and (selection_standalone or all of selection_cmd_*)
falsepositives:
    - Unknown
level: high