[metadata] creation_date = "2025/07/23" integration = ["endpoint"] maturity = "production" updated_date = "2026/04/27" [rule] author = ["Elastic"] description = """ Detects unusual access to the web.config file, which contains sensitive credential information such as database connection strings, machineKey validation/decryption keys, and SAML/OAuth token settings. Attackers can use the information extracted to forge malicious __VIEWSTATE requests for persistent RCE on the web server or pivot to the SQL server using exposed connection strings. """ from = "now-9m" index = ["logs-endpoint.events.file-*"] language = "kuery" license = "Elastic License v2" name = "Unusual Web Config File Access" references = [ "https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/", ] risk_score = 73 rule_id = "5841b80f-a1f8-4c00-a966-d2cc4a7a82e4" severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "new_terms" query = ''' event.category:file and host.os.type:windows and event.action:open and file.name:"web.config" and file.path : *VirtualDirectories* and not process.executable: ( "C:\Program Files\Microsoft Security Client\MsMpEng.exe" or "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" or "C:\Windows\System32\MRT.exe" or "C:\Windows\System32\inetsrv\w3wp.exe" ) ''' note = """## Triage and analysis ### Investigating Unusual Web Config File Access #### Possible investigation steps - What process opened which "web.config" path, and what secrets could it expose? - Why: IIS, SharePoint, federation, or shared application configs can expose connection strings, MachineKey validation/decryption keys, and OAuth/SAML settings for ViewState forgery or credential pivots. - Focus: `file.path`, `process.entity_id`, `process.executable`, `user.id`, and `host.id`. - Implication: escalate when `file.path` points to SharePoint, federation, shared application, database-connected app, or another high-value IIS root; lower suspicion only when asset inventory or owner confirmation verifies a non-sensitive test path and later endpoint evidence stays inside that exact workflow. - Is the reader a recognized maintenance component or an anomalous binary? - Focus: `process.executable`, `process.command_line`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `process.parent.executable`. - Implication: escalate when the reader is unsigned, user-writable, renamed, or launched by a shell, script host, web worker, or remote-admin chain; lower suspicion when signer, path, command line, and parent match one recognized deployment, backup, scan, or web-maintenance component. Identity alone does not clear the read. - Do the account and lineage fit application maintenance on this host? - Focus: `user.id`, `user.name`, `process.parent.executable`, and `process.Ext.ancestry`. - Implication: escalate when the account lacks a web-admin, service, deployment, backup, or response role, the service identity is unexpected, or the parent is a shell, script host, web worker, or remote-admin tool; lower suspicion when identity, parent, and ancestry match one recognized workflow. - Did the same process enumerate or stage config secrets beyond one bounded read? - Focus: same-process file events by `host.id` and `process.entity_id`: `event.action`, `file.path`, and `file.Ext.original.path`; look for sibling "web.config", "applicationHost.config", backup or copied configs, script output, web-shell files, or archives. $investigate_0 - Implication: escalate when the process walks multiple site roots, opens server-wide config, reads backups, or writes collection/web-shell artifacts; lower suspicion when file activity stays inside one expected application path with no copy, archive, or helper-file staging. - Did direct child process activity show extraction, staging, or attempted use of exposed secrets? - Why: shell or encoded PowerShell chains can collect config contents, extract MachineKey material, or stage a web shell. - Focus: direct child process events on `host.id` where `process.parent.entity_id` matches `process.entity_id`: `process.executable`, `process.command_line`, and `process.parent.executable`. $investigate_1 - Hint: expand manually from direct children into deeper descendants or the recovered process tree. - Implication: escalate when children or descendants include "cmd.exe", PowerShell, archive tools, database clients, web-shell writers, or commands referencing MachineKey, validation keys, decryption keys, config copies, or archive staging; absent child events lower immediate-use concern only if the reader, path, and file pattern are already bounded. - If local evidence is suspicious or unresolved, does endpoint telemetry show broader config access or staging by the same user or host? - Focus: same-`user.id` file events with `file.path` values showing additional config reads, copied configs, script output, web-shell files, or archives. $investigate_2 - Hint: if the user identity is shared or sparse, review same-`host.id` and `user.id` process events: `process.executable`, `process.command_line`, and `process.Ext.ancestry`. $investigate_3 - Implication: expand scope when either view shows additional config reads, collection artifacts, staged scripts, or suspicious administration around the read window; keep the case local only when broader endpoint telemetry shows no additional staging and local evidence fits one exact workflow. - Escalate when path, reader identity, lineage, same-process file behavior, child/descendant behavior, or related alerts indicate unauthorized config access or secret staging; close only when path, process, user/session, lineage, and same-process file evidence bind to one recognized maintenance, deployment, backup, or response workflow and outside confirmation verifies legitimacy telemetry cannot prove; preserve artifacts and escalate when evidence is mixed or incomplete. ### False positive analysis - AV/EDR products may open web.config during scans. Confirm trusted-signed AV binary, SYSTEM or service account, and no same-process config copy, archive, or staging. - Deployment, backup, scanning, or IR workflows can open web.config. Confirm `process.executable`, signer, parent, `file.path`, `user.id`, and `host.id` align with one workflow, with no config copy, archive, web-shell, shell descendants, or broader enumeration. Do not close on historical similarity alone. - Build exceptions from `process.executable`, signer, parent, exact `file.path` root, `user.id`, and `host.id`. Avoid exceptions on "web.config" or host alone. For this new-terms rule, keep first-time cases as candidates until confirmed repeats show the same workflow. ### Response and remediation - If confirmed benign, reverse temporary containment and document which evidence proved the workflow: reader identity, parent lineage, `file.path`, `user.id`, `host.id`, and same-process file pattern. Create an exception only for the independently confirmed minimum workflow, not for "web.config" broadly. - If suspicious but unconfirmed, preserve the alert details, process tree, same-process file timeline, targeted config path, suspected copies, archives, script output, web-shell files, and case notes before containment. Apply reversible containment first, such as heightened monitoring, temporary account restrictions, or temporary outbound controls; isolate the host only if copied config, web-shell creation, or secret reuse is confirmed and service impact is acceptable. - If confirmed malicious, preserve the reader process instance, parent chain, targeted `file.path`, copied or staged config, script output, web-shell files, archives, and case notes before containment. Then contain the affected host or account based on the unauthorized reader, high-value path, enumeration, staged artifacts, or descendant process evidence, and record those identifiers before terminating processes or deleting files. - Rotate secrets exposed through the targeted `file.path`, including database credentials, MachineKey validation/decryption keys, OAuth/SAML secrets, and shared service-account credentials. Prioritize production, internet-facing, and shared application secrets. - Eradicate only the webshells, scripts, copied configuration files, archives, persistence mechanisms, and altered application files identified during the investigation; restore affected application configuration from known-good state and remediate the initial access or privilege path that allowed the read. """ setup = """## Setup This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules. Setup instructions: https://ela.st/install-elastic-defend """ [rule.investigation_fields] field_names = [ "@timestamp", "event.action", "host.name", "host.id", "user.name", "user.id", "user.domain", "process.entity_id", "process.executable", "process.command_line", "process.parent.executable", "process.code_signature.subject_name", "process.code_signature.trusted", "file.path", ] [transform] [[transform.investigate]] label = "File events for the same process" description = "" providers = [ [ { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }, { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }, { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" } ] ] relativeFrom = "now-1h" relativeTo = "now" [[transform.investigate]] label = "Direct child process events" description = "" providers = [ [ { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }, { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }, { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" } ] ] relativeFrom = "now-1h" relativeTo = "now" [[transform.investigate]] label = "File events for the same user" description = "" providers = [ [ { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }, { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" } ] ] relativeFrom = "now-48h/h" relativeTo = "now" [[transform.investigate]] label = "Process events for the same host and user" description = "" providers = [ [ { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }, { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }, { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" } ] ] relativeFrom = "now-48h/h" relativeTo = "now" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."process.executable"] case_insensitive = true value = "?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\Web Server Extensions\\\\*\\\\BIN\\\\*" [rule.new_terms] field = "new_terms_fields" value = ["process.executable", "user.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" [[rule.threat.technique.subtechnique]] id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1005" name = "Data from Local System" reference = "https://attack.mitre.org/techniques/T1005/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/"