2020-09-29 11:45:41 +02:00
[ metadata ]
creation_date = "2020/08/18"
2023-01-04 09:30:07 -05:00
integration = [ "endpoint" , "windows" ]
2020-09-29 11:45:41 +02:00
maturity = "production"
2022-08-24 10:38:49 -06:00
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
2023-03-05 09:41:19 -09:00
updated_date = "2023/02/22"
2020-09-29 11:45:41 +02:00
[ rule ]
author = [ "Elastic" ]
description = "" "
Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server
access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account
password using aspnet_regiis command.
" ""
from = "now-9m"
2022-10-19 08:27:44 -07:00
index = [ "winlogbeat-*" , "logs-endpoint.events.*" , "logs-windows.*" , "endgame-*" ]
2020-12-08 21:07:26 +01:00
language = "eql"
2021-03-03 22:12:11 -09:00
license = "Elastic License v2"
2020-09-29 11:45:41 +02:00
max_signals = 33
name = "Microsoft IIS Connection Strings Decryption"
2022-07-18 15:41:32 -04:00
note = "" "## Setup
2022-04-01 15:27:08 -08:00
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
" ""
2020-09-29 11:45:41 +02:00
references = [
"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/" ,
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia" ,
]
risk_score = 73
rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec"
severity = "high"
2022-10-19 08:27:44 -07:00
tags = [ "Elastic" , "Host" , "Windows" , "Threat Detection" , "Credential Access" , "Elastic Endgame" ]
2021-02-16 10:52:48 -09:00
timestamp_override = "event.ingested"
2020-12-08 21:07:26 +01:00
type = "eql"
2020-09-29 11:45:41 +02:00
query = '' '
2023-03-05 09:41:19 -09:00
process where host.os.type == "windows" and event.type == "start" and
2020-12-08 21:07:26 +01:00
(process.name : "aspnet_regiis.exe" or process.pe.original_file_name == "aspnet_regiis.exe") and
process.args : "connectionStrings" and process.args : "-pdf"
2020-09-29 11:45:41 +02:00
' ''
[ [ rule . threat ] ]
framework = "MITRE ATT&CK"
[ [ rule . threat . technique ] ]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[ rule . threat . tactic ]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
2021-02-16 10:52:48 -09:00
