https://feed.craftedsignal.io/tags/appcmd/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 09 Jan 2024 10:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-iis-appcmd-credential-dump/Tue, 09 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-iis-appcmd-credential-dump/Attackers with access to IIS web servers may use the AppCmd command-line tool to dump sensitive configuration data, including application pool credentials, potentially leading to lateral movement and privilege escalation.Attackers who have gained a foothold on a Windows web server running Internet Information Services (IIS) may attempt to extract sensitive information, such as application pool credentials, to facilitate lateral movement and privilege escalation. This is achieved by leveraging the AppCmd.exe utility, a command-line tool used to manage IIS configurations. By issuing specific commands, attackers can dump the entire web server configuration or target specific fields containing credential-related data, exposing usernames, passwords, and connection strings in clear text. Successful exploitation allows attackers to reuse these credentials to access other systems within the environment, potentially leading to significant data breaches or system compromise. This technique is particularly effective against organizations that store sensitive credentials within their IIS configurations.

Attack Chain

1. The attacker gains initial access to the Windows web server, often through a web shell or by exploiting a vulnerability in a web application.
2. The attacker executes appcmd.exe via the command line.
3. The attacker uses the list argument to enumerate application pools or other relevant IIS configurations.
4. The attacker uses /text:*password*, /text:*processModel*, /text:*userName*, /config or *connectionstring* parameters with appcmd.exe to filter the output and specifically target credential-related data. Alternatively the attacker may use /text:* to output the full configuration.
5. appcmd.exe outputs the requested configuration data, which may include usernames, passwords, and connection strings in clear text.
6. The attacker parses the output to extract valid credentials.
7. The attacker uses the extracted credentials to authenticate to other systems or services within the network.
8. The attacker achieves lateral movement, privilege escalation, and access to sensitive data.

Impact

Successful exploitation allows attackers to recover service account passwords and other sensitive credentials stored within the IIS configuration. This can lead to unauthorized access to databases, file shares, and other internal systems, potentially resulting in data breaches, financial loss, and reputational damage. While the rule itself is low severity, the subsequent impact of exposed credentials can be severe.

Recommendation

• Deploy the “Microsoft IIS Service Account Password Dumped” Sigma rule to your SIEM to detect the use of appcmd.exe to dump sensitive IIS configuration data.
• Review IIS and web server activity for signs of exploitation, such as requests to newly created ASPX or PHP files as suggested in the rule’s Triage and Analysis section.
• Enable Sysmon process creation logging to activate the rules above and provide detailed process execution data.
• Implement the password rotation for affected service accounts as suggested in the rule’s Triage and Analysis section.

]]>mediumadvisorycredential-accessiisappcmdwindowshttps://feed.craftedsignal.io/briefs/2024-01-iis-http-logging-disabled/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-iis-http-logging-disabled/An attacker with IIS server access can disable HTTP Logging using `appcmd.exe` to evade defenses and prevent forensic analysis, as detected by the execution of `appcmd.exe` with arguments to disable logging.Attackers with access to an Internet Information Services (IIS) server, potentially through a webshell or other compromised entry point, may disable HTTP logging as a defense evasion technique. This is typically achieved by using the appcmd.exe utility with specific arguments to modify the IIS configuration, preventing the server from recording HTTP requests and responses. Disabling logging makes it significantly harder for defenders to detect malicious activity, trace attacker actions, and perform effective incident response. This activity is a common tactic employed by threat actors to obscure their presence and maintain persistence within a compromised environment, particularly when deploying webshells or conducting lateral movement. This behavior is typically observed post-exploitation.

Attack Chain

1. Attacker gains initial access to the IIS server, possibly via a webshell or exploiting a vulnerability.
2. Attacker executes appcmd.exe to modify the IIS configuration.
3. The appcmd.exe command includes arguments to disable HTTP logging, such as /dontLog*:*True.
4. The command targets specific sites, applications, or the entire server depending on the attacker’s objectives.
5. IIS configuration files, such as applicationHost.config or web.config, are modified to reflect the changes.
6. HTTP logging is disabled, preventing the server from recording HTTP requests and responses.
7. Attacker performs malicious activities, such as deploying webshells, without generating HTTP logs.
8. Attacker maintains persistence and evades detection by preventing forensic analysis.

Impact

Successful disabling of IIS HTTP logging can severely impair incident response capabilities. Organizations may be unable to detect malicious activity within their web infrastructure, leading to prolonged compromises and increased damage. This technique can be particularly damaging when attackers deploy webshells or conduct lateral movement within the network. Without HTTP logs, tracing attacker actions and identifying compromised systems becomes significantly more challenging. The impact can range from data breaches to system downtime and reputational damage.

Recommendation

• Deploy the Sigma rule “IIS HTTP Logging Disabled via AppCmd” to your SIEM to detect when appcmd.exe is used to disable HTTP logging.
• Enable Sysmon process creation logging with Event ID 1 to capture the execution of appcmd.exe with the relevant arguments, enabling detection via the Sigma rules.
• Investigate any alerts generated by the Sigma rule, focusing on the parent process of appcmd.exe and the user account under which it was executed.
• Monitor for modifications to IIS configuration files (applicationHost.config, web.config) to detect unauthorized changes to logging settings.
• Regularly review and validate the configuration of IIS HTTP logging to ensure it remains enabled and properly configured.

]]>highadvisorydefense-evasioniishttploggingappcmdwindowshttps://feed.craftedsignal.io/briefs/2024-01-02-iis-appcmd-credential-dump/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-iis-appcmd-credential-dump/An attacker with IIS web server access via a web shell can extract service account passwords by requesting full configuration output or targeting credential-related fields using the AppCmd tool.The Microsoft Internet Information Services (IIS) command-line tool, AppCmd, is used to manage IIS configurations. An attacker who gains access to an IIS web server, often through a web shell, can leverage AppCmd to dump sensitive configuration data, including application pool credentials. This involves requesting full configuration output or targeting specific credential-related fields, potentially exposing service account passwords in clear text. This activity is typically post-compromise and indicates an attempt to escalate privileges or move laterally within the network. The risk lies in the exposure of credentials that can be reused to access other systems or data.

Attack Chain

1. An attacker gains initial access to the IIS web server, commonly through exploiting a vulnerability or uploading a web shell (e.g., ASPX or PHP).
2. The attacker uses the web shell to execute commands on the server.
3. The attacker uses appcmd.exe to list the IIS configuration.
4. The appcmd.exe command includes arguments to display specific configuration sections related to credentials, such as application pool identities, process model settings, or connection strings. Examples of command line arguments used are /text:*password*, /text:*processModel*, /text:*userName*, /config, or *connectionstring*.
5. appcmd.exe outputs the requested configuration data to the console, which includes sensitive information like usernames and passwords in plaintext.
6. The attacker captures the output containing the credentials.
7. The attacker uses the acquired credentials to move laterally to other systems on the network or access sensitive data.

Impact

Successful exploitation can lead to the exposure of sensitive credentials, enabling attackers to perform lateral movement, privilege escalation, and data exfiltration. The number of potential victims is dependent on the scope of the attacker’s access and the configuration of the IIS server. Sectors commonly targeted include organizations that rely heavily on web applications and services, such as e-commerce, finance, and healthcare. If successful, the attacker can gain complete control over critical systems and data.

Recommendation

• Enable Sysmon process creation logging to capture appcmd.exe execution with command-line arguments.
• Deploy the Sigma rule Detect IIS AppCmd Credential Dumping to your SIEM and tune for your environment.
• Monitor IIS and web server activity for signs of exploitation, such as requests to newly created ASPX or PHP files, requests containing command-execution parameters, or uploads to writable web paths.
• Implement privileged access management (PAM) solutions to restrict the usage of service accounts.

]]>mediumadvisorycredential-accessiisappcmdwindows