sigmahighHunting

Microsoft IIS Connection Strings Decryption

Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.

MITRE ATT&CK

T1003

credential-access

Detection Query

selection_name:
  - Image|endswith: \aspnet_regiis.exe
  - OriginalFileName: aspnet_regiis.exe
selection_args:
  CommandLine|contains|all:
    - connectionStrings
    - " -pdf"
condition: all of selection*

Author

Tim Rauch, Elastic (idea)

Created

2022-09-28

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html

Tags

attack.credential-accessattack.t1003

Raw Content

title: Microsoft IIS Connection Strings Decryption
id: 97dbf6e2-e436-44d8-abee-4261b24d3e41
status: test
description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
references:
    - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2022-12-30
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection_name:
        - Image|endswith: '\aspnet_regiis.exe'
        - OriginalFileName: 'aspnet_regiis.exe'
    selection_args:
        CommandLine|contains|all:
            - 'connectionStrings'
            - ' -pdf'
    condition: all of selection*
falsepositives:
    - Unknown
level: high