From 2ce8c2833f70b2f6dc4982844bee022e6b8f7b23 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 22 Sep 2020 13:58:57 +0200 Subject: [PATCH] [New Rule] Microsoft IIS Service Account Password Dumped (#167) * [New Rule] Microsoft IIS Service Account Password Dumped * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Linted Co-authored-by: Justin Ibarra Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...ntial_access_iis_apppoolsa_pwd_appcmd.toml | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml new file mode 100644 index 000000000..6dcf1c5d7 --- /dev/null +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -0,0 +1,44 @@ +[metadata] +creation_date = "2020/08/18" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/08/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker +with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. +""" +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "lucene" +license = "Elastic License" +max_signals = 33 +name = "Microsoft IIS Service Account Password Dumped" +references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"] +risk_score = 73 +rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343" +severity = "high" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.category:process AND event.type:(start OR process_started) AND + (process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe) AND + process.args:(/[lL][iI][sS][tT]/ AND /\/[tT][eE][xX][tT]\:[pP][aA][sS][sS][wW][oO][rR][dD]/) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +