- What process opened which "web.config" path, and what secrets could it expose?
- Why: IIS, SharePoint, federation, or shared application configs can expose connection strings, MachineKey validation/decryption keys, and OAuth/SAML settings for ViewState forgery or credential pivots.
- Focus: `file.path`, `process.entity_id`, `process.executable`, `user.id`, and `host.id`.
- Implication: escalate when `file.path` points to SharePoint, federation, shared application, database-connected app, or another high-value IIS root; lower suspicion only when asset inventory or owner confirmation verifies a non-sensitive test path and later endpoint evidence stays inside that exact workflow.
- Is the reader a recognized maintenance component or an anomalous binary?
- Focus: `process.executable`, `process.command_line`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `process.parent.executable`.
- Implication: escalate when the reader is unsigned, user-writable, renamed, or launched by a shell, script host, web worker, or remote-admin chain; lower suspicion when signer, path, command line, and parent match one recognized deployment, backup, scan, or web-maintenance component. Identity alone does not clear the read.
- Do the account and lineage fit application maintenance on this host?
- Focus: `user.id`, `user.name`, `process.parent.executable`, and `process.Ext.ancestry`.
- Implication: escalate when the account lacks a web-admin, service, deployment, backup, or response role, the service identity is unexpected, or the parent is a shell, script host, web worker, or remote-admin tool; lower suspicion when identity, parent, and ancestry match one recognized workflow.
- Did the same process enumerate or stage config secrets beyond one bounded read?
- Focus: same-process file events by `host.id` and `process.entity_id`: `event.action`, `file.path`, and `file.Ext.original.path`; look for sibling "web.config", "applicationHost.config", backup or copied configs, script output, web-shell files, or archives. $investigate_0
- Implication: escalate when the process walks multiple site roots, opens server-wide config, reads backups, or writes collection/web-shell artifacts; lower suspicion when file activity stays inside one expected application path with no copy, archive, or helper-file staging.
- Did direct child process activity show extraction, staging, or attempted use of exposed secrets?
- Why: shell or encoded PowerShell chains can collect config contents, extract MachineKey material, or stage a web shell.
- Focus: direct child process events on `host.id` where `process.parent.entity_id` matches `process.entity_id`: `process.executable`, `process.command_line`, and `process.parent.executable`. $investigate_1
- Hint: expand manually from direct children into deeper descendants or the recovered process tree.
- Implication: escalate when children or descendants include "cmd.exe", PowerShell, archive tools, database clients, web-shell writers, or commands referencing MachineKey, validation keys, decryption keys, config copies, or archive staging; absent child events lower immediate-use concern only if the reader, path, and file pattern are already bounded.
- If local evidence is suspicious or unresolved, does endpoint telemetry show broader config access or staging by the same user or host?
- Hint: if the user identity is shared or sparse, review same-`host.id` and `user.id` process events: `process.executable`, `process.command_line`, and `process.Ext.ancestry`. $investigate_3
- Implication: expand scope when either view shows additional config reads, collection artifacts, staged scripts, or suspicious administration around the read window; keep the case local only when broader endpoint telemetry shows no additional staging and local evidence fits one exact workflow.
- Escalate when path, reader identity, lineage, same-process file behavior, child/descendant behavior, or related alerts indicate unauthorized config access or secret staging; close only when path, process, user/session, lineage, and same-process file evidence bind to one recognized maintenance, deployment, backup, or response workflow and outside confirmation verifies legitimacy telemetry cannot prove; preserve artifacts and escalate when evidence is mixed or incomplete.
### False positive analysis
- AV/EDR products may open web.config during scans. Confirm trusted-signed AV binary, SYSTEM or service account, and no same-process config copy, archive, or staging.
- Deployment, backup, scanning, or IR workflows can open web.config. Confirm `process.executable`, signer, parent, `file.path`, `user.id`, and `host.id` align with one workflow, with no config copy, archive, web-shell, shell descendants, or broader enumeration. Do not close on historical similarity alone.
- Build exceptions from `process.executable`, signer, parent, exact `file.path` root, `user.id`, and `host.id`. Avoid exceptions on "web.config" or host alone. For this new-terms rule, keep first-time cases as candidates until confirmed repeats show the same workflow.
### Response and remediation
- If confirmed benign, reverse temporary containment and document which evidence proved the workflow: reader identity, parent lineage, `file.path`, `user.id`, `host.id`, and same-process file pattern. Create an exception only for the independently confirmed minimum workflow, not for "web.config" broadly.
- If suspicious but unconfirmed, preserve the alert details, process tree, same-process file timeline, targeted config path, suspected copies, archives, script output, web-shell files, and case notes before containment. Apply reversible containment first, such as heightened monitoring, temporary account restrictions, or temporary outbound controls; isolate the host only if copied config, web-shell creation, or secret reuse is confirmed and service impact is acceptable.
- If confirmed malicious, preserve the reader process instance, parent chain, targeted `file.path`, copied or staged config, script output, web-shell files, archives, and case notes before containment. Then contain the affected host or account based on the unauthorized reader, high-value path, enumeration, staged artifacts, or descendant process evidence, and record those identifiers before terminating processes or deleting files.
- Rotate secrets exposed through the targeted `file.path`, including database credentials, MachineKey validation/decryption keys, OAuth/SAML secrets, and shared service-account credentials. Prioritize production, internet-facing, and shared application secrets.
- Eradicate only the webshells, scripts, copied configuration files, archives, persistence mechanisms, and altered application files identified during the investigation; restore affected application configuration from known-good state and remediate the initial access or privilege path that allowed the read.
"""
setup="""## Setup
This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
