Tag
medium
advisory
IIS AppCmd Tool Used to Dump Service Account Credentials
2 rules 2 TTPsAttackers with access to IIS web servers may use the AppCmd command-line tool to dump sensitive configuration data, including application pool credentials, potentially leading to lateral movement and privilege escalation.
IIS
credential-access
appcmd
windows
2r
2t
high
advisory
IIS HTTP Logging Disabled via AppCmd
2 rules 1 TTPAn attacker with IIS server access can disable HTTP Logging using `appcmd.exe` to evade defenses and prevent forensic analysis, as detected by the execution of `appcmd.exe` with arguments to disable logging.
Elastic Defend +3
defense-evasion
iis
httplogging
appcmd
windows
2r
1t
medium
advisory
Microsoft IIS Service Account Password Dump via AppCmd
2 rules 2 TTPsAn attacker with IIS web server access via a web shell can extract service account passwords by requesting full configuration output or targeting credential-related fields using the AppCmd tool.
IIS
credential-access
appcmd
windows
2r
2t