Iis

Attackers with access to IIS web servers may use the AppCmd command-line tool to dump sensitive configuration data, including application pool credentials, potentially leading to lateral movement and privilege escalation.

An attacker with Microsoft IIS web server access can decrypt and dump hardcoded connection strings, such as MSSQL service account passwords, using the aspnet_regiis utility, potentially leading to credential compromise.

An attacker with IIS server access can disable HTTP Logging using `appcmd.exe` to evade defenses and prevent forensic analysis, as detected by the execution of `appcmd.exe` with arguments to disable logging.

An attacker with IIS web server access via a web shell can extract service account passwords by requesting full configuration output or targeting credential-related fields using the AppCmd tool.

This analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers, allowing adversaries to evade detection by removing evidence of their actions.