Product

IIS

4 briefs RSS

IIS AppCmd Tool Used to Dump Service Account Credentials

Attackers with access to IIS web servers may use the AppCmd command-line tool to dump sensitive configuration data, including application pool credentials, potentially leading to lateral movement and privilege escalation.

IIS credential-access appcmd windows

2r 2t Jan 9, 2024

high advisory

Microsoft IIS Connection String Decryption via aspnet_regiis

3 rules 1 TTP

An attacker with Microsoft IIS web server access can decrypt and dump hardcoded connection strings, such as MSSQL service account passwords, using the aspnet_regiis utility, potentially leading to credential compromise.

IIS credential-access aspnet_regiis windows

3r 1t Jan 3, 2024

medium advisory

Microsoft IIS Service Account Password Dump via AppCmd

2 rules 2 TTPs

An attacker with IIS web server access via a web shell can extract service account passwords by requesting full configuration output or targeting credential-related fields using the AppCmd tool.

IIS credential-access appcmd windows

2r 2t Jan 2, 2024

high advisory

Detection of IIS HTTP Logging Disabled via AppCmd.exe

2 rules 2 TTPs

This analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers, allowing adversaries to evade detection by removing evidence of their actions.

Splunk Enterprise +3 iis logging defense-evasion windows

2r 2t Jan 1, 2024