{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/iis/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["IIS"],"_cs_severities":["medium"],"_cs_tags":["credential-access","iis","appcmd","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers who have gained a foothold on a Windows web server running Internet Information Services (IIS) may attempt to extract sensitive information, such as application pool credentials, to facilitate lateral movement and privilege escalation. This is achieved by leveraging the AppCmd.exe utility, a command-line tool used to manage IIS configurations. By issuing specific commands, attackers can dump the entire web server configuration or target specific fields containing credential-related data, exposing usernames, passwords, and connection strings in clear text. Successful exploitation allows attackers to reuse these credentials to access other systems within the environment, potentially leading to significant data breaches or system compromise. This technique is particularly effective against organizations that store sensitive credentials within their IIS configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Windows web server, often through a web shell or by exploiting a vulnerability in a web application.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eappcmd.exe\u003c/code\u003e via the command line.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003elist\u003c/code\u003e argument to enumerate application pools or other relevant IIS configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003e/text:*password*\u003c/code\u003e, \u003ccode\u003e/text:*processModel*\u003c/code\u003e, \u003ccode\u003e/text:*userName*\u003c/code\u003e, \u003ccode\u003e/config\u003c/code\u003e or \u003ccode\u003e*connectionstring*\u003c/code\u003e parameters with \u003ccode\u003eappcmd.exe\u003c/code\u003e to filter the output and specifically target credential-related data. Alternatively the attacker may use \u003ccode\u003e/text:*\u003c/code\u003e to output the full configuration.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eappcmd.exe\u003c/code\u003e outputs the requested configuration data, which may include usernames, passwords, and connection strings in clear text.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output to extract valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to authenticate to other systems or services within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves lateral movement, privilege escalation, and access to sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to recover service account passwords and other sensitive credentials stored within the IIS configuration. This can lead to unauthorized access to databases, file shares, and other internal systems, potentially resulting in data breaches, financial loss, and reputational damage. While the rule itself is low severity, the subsequent impact of exposed credentials can be severe.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Microsoft IIS Service Account Password Dumped\u0026rdquo; Sigma rule to your SIEM to detect the use of \u003ccode\u003eappcmd.exe\u003c/code\u003e to dump sensitive IIS configuration data.\u003c/li\u003e\n\u003cli\u003eReview IIS and web server activity for signs of exploitation, such as requests to newly created ASPX or PHP files as suggested in the rule\u0026rsquo;s Triage and Analysis section.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to activate the rules above and provide detailed process execution data.\u003c/li\u003e\n\u003cli\u003eImplement the password rotation for affected service accounts as suggested in the rule\u0026rsquo;s Triage and Analysis section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-iis-appcmd-credential-dump/","summary":"Attackers with access to IIS web servers may use the AppCmd command-line tool to dump sensitive configuration data, including application pool credentials, potentially leading to lateral movement and privilege escalation.","title":"IIS AppCmd Tool Used to Dump Service Account Credentials","url":"https://feed.craftedsignal.io/briefs/2024-01-iis-appcmd-credential-dump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["IIS"],"_cs_severities":["high"],"_cs_tags":["credential-access","iis","aspnet_regiis","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat involves the decryption of Microsoft IIS connection strings using the \u003ccode\u003easpnet_regiis\u003c/code\u003e utility. An attacker who has gained unauthorized access to an IIS web server, typically through a webshell or similar exploit, can leverage this technique to extract sensitive information. The \u003ccode\u003easpnet_regiis\u003c/code\u003e tool, a legitimate .NET utility, is misused to decrypt connection strings, which often contain hardcoded credentials for databases like MSSQL. This allows the attacker to potentially compromise service accounts and gain further access to the compromised network. The described behavior has been observed in relation to espionage campaigns targeting telecommunications in South Asia, as detailed by Symantec. Defenders should be aware that successful exploitation allows for lateral movement and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Microsoft IIS web server, often through exploiting a vulnerability that enables webshell deployment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the webshell to execute commands on the compromised server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003easpnet_regiis.exe\u003c/code\u003e with the \u003ccode\u003e-pdf\u003c/code\u003e or \u003ccode\u003e-pd\u003c/code\u003e options to decrypt the \u003ccode\u003econnectionStrings\u003c/code\u003e section of the web.config file.\u003c/li\u003e\n\u003cli\u003eThe command \u003ccode\u003easpnet_regiis.exe -pdf connectionStrings \u0026lt;application_path\u0026gt;\u003c/code\u003e is used to decrypt the connection strings for a specific application.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the decrypted connection strings, which may contain usernames, passwords, and connection details for MSSQL or other databases.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to access the database server and potentially other systems on the network, achieving lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker may then exfiltrate sensitive data from the database server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses gathered credentials to perform further actions or maintain persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the exposure of sensitive database credentials, allowing attackers to access and exfiltrate confidential information. This can result in significant data breaches, financial losses, and reputational damage. Depending on the compromised accounts\u0026rsquo; privileges, attackers could gain control over critical systems and services. Compromised credentials may allow lateral movement to other systems and applications within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect IIS Connection String Decryption\u0026rdquo; to your SIEM and tune for your environment to detect the usage of \u003ccode\u003easpnet_regiis.exe\u003c/code\u003e with connection string decryption parameters.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003easpnet_regiis.exe\u003c/code\u003e with arguments containing \u003ccode\u003econnectionStrings\u003c/code\u003e, \u003ccode\u003e-pdf\u003c/code\u003e, or \u003ccode\u003e-pd\u003c/code\u003e (per the detection rule) to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls on IIS web servers to limit the ability of attackers to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eReview IIS web server configurations for weak or hardcoded credentials in connection strings and implement secure credential management practices.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command line arguments for executed processes and facilitate detection of malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-iis-connection-string-decryption/","summary":"An attacker with Microsoft IIS web server access can decrypt and dump hardcoded connection strings, such as MSSQL service account passwords, using the aspnet_regiis utility, potentially leading to credential compromise.","title":"Microsoft IIS Connection String Decryption via aspnet_regiis","url":"https://feed.craftedsignal.io/briefs/2024-01-iis-connection-string-decryption/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","iis","httplogging","appcmd","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers with access to an Internet Information Services (IIS) server, potentially through a webshell or other compromised entry point, may disable HTTP logging as a defense evasion technique. This is typically achieved by using the \u003ccode\u003eappcmd.exe\u003c/code\u003e utility with specific arguments to modify the IIS configuration, preventing the server from recording HTTP requests and responses. Disabling logging makes it significantly harder for defenders to detect malicious activity, trace attacker actions, and perform effective incident response. This activity is a common tactic employed by threat actors to obscure their presence and maintain persistence within a compromised environment, particularly when deploying webshells or conducting lateral movement. This behavior is typically observed post-exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the IIS server, possibly via a webshell or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker executes \u003ccode\u003eappcmd.exe\u003c/code\u003e to modify the IIS configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eappcmd.exe\u003c/code\u003e command includes arguments to disable HTTP logging, such as \u003ccode\u003e/dontLog*:*True\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe command targets specific sites, applications, or the entire server depending on the attacker\u0026rsquo;s objectives.\u003c/li\u003e\n\u003cli\u003eIIS configuration files, such as \u003ccode\u003eapplicationHost.config\u003c/code\u003e or \u003ccode\u003eweb.config\u003c/code\u003e, are modified to reflect the changes.\u003c/li\u003e\n\u003cli\u003eHTTP logging is disabled, preventing the server from recording HTTP requests and responses.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious activities, such as deploying webshells, without generating HTTP logs.\u003c/li\u003e\n\u003cli\u003eAttacker maintains persistence and evades detection by preventing forensic analysis.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of IIS HTTP logging can severely impair incident response capabilities. Organizations may be unable to detect malicious activity within their web infrastructure, leading to prolonged compromises and increased damage. This technique can be particularly damaging when attackers deploy webshells or conduct lateral movement within the network. Without HTTP logs, tracing attacker actions and identifying compromised systems becomes significantly more challenging. The impact can range from data breaches to system downtime and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;IIS HTTP Logging Disabled via AppCmd\u0026rdquo; to your SIEM to detect when \u003ccode\u003eappcmd.exe\u003c/code\u003e is used to disable HTTP logging.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with Event ID 1 to capture the execution of \u003ccode\u003eappcmd.exe\u003c/code\u003e with the relevant arguments, enabling detection via the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process of \u003ccode\u003eappcmd.exe\u003c/code\u003e and the user account under which it was executed.\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to IIS configuration files (\u003ccode\u003eapplicationHost.config\u003c/code\u003e, \u003ccode\u003eweb.config\u003c/code\u003e) to detect unauthorized changes to logging settings.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate the configuration of IIS HTTP logging to ensure it remains enabled and properly configured.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-iis-http-logging-disabled/","summary":"An attacker with IIS server access can disable HTTP Logging using `appcmd.exe` to evade defenses and prevent forensic analysis, as detected by the execution of `appcmd.exe` with arguments to disable logging.","title":"IIS HTTP Logging Disabled via AppCmd","url":"https://feed.craftedsignal.io/briefs/2024-01-iis-http-logging-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["IIS"],"_cs_severities":["medium"],"_cs_tags":["credential-access","iis","appcmd","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft Internet Information Services (IIS) command-line tool, AppCmd, is used to manage IIS configurations. An attacker who gains access to an IIS web server, often through a web shell, can leverage AppCmd to dump sensitive configuration data, including application pool credentials. This involves requesting full configuration output or targeting specific credential-related fields, potentially exposing service account passwords in clear text. This activity is typically post-compromise and indicates an attempt to escalate privileges or move laterally within the network. The risk lies in the exposure of credentials that can be reused to access other systems or data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the IIS web server, commonly through exploiting a vulnerability or uploading a web shell (e.g., ASPX or PHP).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to execute commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eappcmd.exe\u003c/code\u003e to list the IIS configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eappcmd.exe\u003c/code\u003e command includes arguments to display specific configuration sections related to credentials, such as application pool identities, process model settings, or connection strings. Examples of command line arguments used are \u003ccode\u003e/text:*password*\u003c/code\u003e, \u003ccode\u003e/text:*processModel*\u003c/code\u003e, \u003ccode\u003e/text:*userName*\u003c/code\u003e, \u003ccode\u003e/config\u003c/code\u003e, or \u003ccode\u003e*connectionstring*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eappcmd.exe\u003c/code\u003e outputs the requested configuration data to the console, which includes sensitive information like usernames and passwords in plaintext.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the output containing the credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the acquired credentials to move laterally to other systems on the network or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the exposure of sensitive credentials, enabling attackers to perform lateral movement, privilege escalation, and data exfiltration. The number of potential victims is dependent on the scope of the attacker\u0026rsquo;s access and the configuration of the IIS server. Sectors commonly targeted include organizations that rely heavily on web applications and services, such as e-commerce, finance, and healthcare. If successful, the attacker can gain complete control over critical systems and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture \u003ccode\u003eappcmd.exe\u003c/code\u003e execution with command-line arguments.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect IIS AppCmd Credential Dumping\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor IIS and web server activity for signs of exploitation, such as requests to newly created ASPX or PHP files, requests containing command-execution parameters, or uploads to writable web paths.\u003c/li\u003e\n\u003cli\u003eImplement privileged access management (PAM) solutions to restrict the usage of service accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-iis-appcmd-credential-dump/","summary":"An attacker with IIS web server access via a web shell can extract service account passwords by requesting full configuration output or targeting credential-related fields using the AppCmd tool.","title":"Microsoft IIS Service Account Password Dump via AppCmd","url":"https://feed.craftedsignal.io/briefs/2024-01-02-iis-appcmd-credential-dump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","IIS"],"_cs_severities":["high"],"_cs_tags":["iis","logging","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies the use of \u003ccode\u003eAppCmd.exe\u003c/code\u003e to disable HTTP logging on Internet Information Services (IIS) servers. The technique is significant as adversaries can use it to erase traces of their malicious activities. The detection focuses on process execution events logged by Endpoint Detection and Response (EDR) agents. By disabling HTTP logging, attackers can operate undetected, making it difficult to trace their actions and respond effectively to intrusions. The references indicate this technique has been observed in campaigns attributed to threat actors like OilRig, where IIS backdoors are used.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the system via exploitation of a vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker gains a foothold on the IIS server.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eappcmd.exe\u003c/code\u003e to modify IIS settings.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eappcmd.exe\u003c/code\u003e is executed with parameters to disable HTTP logging, such as \u003ccode\u003ehttplogging\u003c/code\u003e or \u003ccode\u003edontlog:true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe command modifies the IIS configuration, preventing HTTP request logs from being recorded.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions on the compromised server (e.g., web shell deployment, data theft).\u003c/li\u003e\n\u003cli\u003eWith HTTP logging disabled, the attacker\u0026rsquo;s activities are not recorded in standard IIS logs, hindering forensic analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and continues to exploit the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to a significant reduction in visibility into attacker activities on IIS servers. The lack of HTTP logs hinders incident response efforts, making it difficult to identify the scope and nature of the compromise. This could lead to prolonged attacker presence, further data exfiltration, or deployment of malicious software. This technique is a common step to evade defenses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect IIS HTTP Logging Disabled via AppCmd.exe\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture command-line arguments of \u003ccode\u003eappcmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003eappcmd.exe\u003c/code\u003e with command-line arguments related to \u003ccode\u003ehttplogging\u003c/code\u003e or \u003ccode\u003edontlog:true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eappcmd.exe\u003c/code\u003e being executed by non-administrator accounts or unusual parent processes.\u003c/li\u003e\n\u003cli\u003eReview IIS configuration regularly for any unauthorized changes to HTTP logging settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-01T00:00:00Z","date_published":"2024-01-01T00:00:00Z","id":"/briefs/2024-01-disable-iis-logging/","summary":"This analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers, allowing adversaries to evade detection by removing evidence of their actions.","title":"Detection of IIS HTTP Logging Disabled via AppCmd.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-iis-logging/"}],"language":"en","title":"CraftedSignal Threat Feed — Iis","version":"https://jsonfeed.org/version/1.1"}