Monthly Manifest and Schema Updation (#6036)

detection_rules/etc/stack-schema-map.yaml

@@ -150,11 +150,11 @@
   endgame: "8.4.0"
 
 "9.4.0":
-  beats: "9.3.3"
+  beats: "9.3.4"
   ecs: "9.4.0-rc1"
   endgame: "8.4.0"
 
 "9.5.0":
-  beats: "9.3.3"
+  beats: "9.3.4"
   ecs: "9.4.0-rc1"
   endgame: "8.4.0"

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.6.31"
+version = "1.6.32"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2026/04/21"
+updated_date = "2026/05/04"
 
 [rule]
 author = ["Elastic"]
@@ -26,6 +26,28 @@ index = [
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft IIS Service Account Password Dumped"
+note = """ ## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Microsoft IIS Service Account Password Dumped
+
+This rule detects the IIS administration utility being launched to print full web server configuration or credential-bearing settings, which can expose application pool usernames, passwords, and connection strings in clear text. An attacker who lands on a Windows web server through a web shell can run the tool to enumerate process model settings, recover the service account password, and reuse those credentials for lateral movement or deeper access to backend systems.
+
+### Possible investigation steps
+
+- Review the process tree, executing user, logon session, integrity level, and remote-interactive context to determine whether the command was launched by an authorized administrator, a scripted maintenance task, or through a suspicious parent such as cmd.exe, powershell.exe, w3wp.exe, or a web shell.
+- Build a short timeline on the host around the execution to identify adjacent discovery or credential-access activity, including archive or encode tools, file staging in web directories, registry access, and outbound connections to unusual internal or external destinations.
+- Inspect recent IIS and web server activity for signs of exploitation, such as requests to newly created ASPX or PHP files, requests containing command-execution parameters, uploads to writable web paths, or authentication bypass behavior preceding the event.
+- Determine which application pools, virtual directories, or connection strings were exposed, then review subsequent authentication and service activity for the recovered account on other systems to spot lateral movement, privilege escalation, or access to databases and file shares.
+- If the activity is unauthorized, preserve the relevant IIS configuration and web content for forensics, search the environment for the same account or host communicating elsewhere, and prioritize password rotation for affected service accounts and secrets.
+
+### False positive analysis
+
+- An IIS administrator may legitimately run AppCmd to review application pool identities or troubleshoot authentication issues, so verify the command aligns with an approved maintenance window or change request and was launched by an expected administrative account.
+- A scheduled server administration script may enumerate full IIS configuration or connection strings during backup, migration validation, or configuration auditing, so confirm the parent process and execution time match a known scheduled task or recurring maintenance pattern and that no suspicious follow-on activity occurred.
+"""
 references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"]
 risk_score = 21
 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343"
@@ -42,6 +64,7 @@ tags = [
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
     "Data Source: Crowdstrike",
+    "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "eql"