Microsoft IIS Service Account Password Dumped

Severity: high
Author: Tim Rauch, Janantha Marasinghe, Elastic (original idea)
Source: upstream

Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1003` OS Credential Dumping

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_base_name`

or:
Image|endswith: '\appcmd.exe'
OriginalFileName: appcmd.exe

Stage 2: `all of selection_base_list`

CommandLine|contains: 'list '

Stage 3: `selection_standalone`

or:
CommandLine|contains: ' -config'
CommandLine|contains: ' -xml'
CommandLine|contains: ' /config'
CommandLine|contains: ' /xml'

Stage 4: `all of selection_cmd_flags`

or:
CommandLine|contains: ' -@t'
CommandLine|contains: ' -show'
CommandLine|contains: ' -text'
CommandLine|contains: ' /@t'
CommandLine|contains: ' /show'
CommandLine|contains: ' /text'

Stage 5: `all of selection_cmd_grep`

or:
CommandLine|contains: ':\*'
CommandLine|contains: password

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`-@t` `-config` `-show` `-text` `-xml` `/@t` `/config` `/show` `/text` `/xml` `:\*` `list` `password`
`Image`	ends_with	`\appcmd.exe` corpus 4 (sigma 4)
`OriginalFileName`	eq	`appcmd.exe` corpus 4 (sigma 4)

Microsoft IIS Service Account Password Dumped

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: all of selection_base_name

Stage 2: all of selection_base_list

Stage 3: selection_standalone