Iis — CraftedSignal Threat Feed

IIS AppCmd Tool Used to Dump Service Account Credentials

hello@craftedsignal.io — Tue, 09 Jan 2024 10:00:00 +0000

Attackers who have gained a foothold on a Windows web server running Internet Information Services (IIS) may attempt to extract sensitive information, such as application pool credentials, to facilitate lateral movement and privilege escalation. This is achieved by leveraging the AppCmd.exe utility, a command-line tool used to manage IIS configurations. By issuing specific commands, attackers can dump the entire web server configuration or target specific fields containing credential-related data, exposing usernames, passwords, and connection strings in clear text. Successful exploitation allows attackers to reuse these credentials to access other systems within the environment, potentially leading to significant data breaches or system compromise. This technique is particularly effective against organizations that store sensitive credentials within their IIS configurations.

Attack Chain

The attacker gains initial access to the Windows web server, often through a web shell or by exploiting a vulnerability in a web application.
The attacker executes appcmd.exe via the command line.
The attacker uses the list argument to enumerate application pools or other relevant IIS configurations.
The attacker uses /text:*password*, /text:*processModel*, /text:*userName*, /config or *connectionstring* parameters with appcmd.exe to filter the output and specifically target credential-related data. Alternatively the attacker may use /text:* to output the full configuration.
appcmd.exe outputs the requested configuration data, which may include usernames, passwords, and connection strings in clear text.
The attacker parses the output to extract valid credentials.
The attacker uses the extracted credentials to authenticate to other systems or services within the network.
The attacker achieves lateral movement, privilege escalation, and access to sensitive data.

Impact

Successful exploitation allows attackers to recover service account passwords and other sensitive credentials stored within the IIS configuration. This can lead to unauthorized access to databases, file shares, and other internal systems, potentially resulting in data breaches, financial loss, and reputational damage. While the rule itself is low severity, the subsequent impact of exposed credentials can be severe.

Recommendation

Deploy the “Microsoft IIS Service Account Password Dumped” Sigma rule to your SIEM to detect the use of appcmd.exe to dump sensitive IIS configuration data.
Review IIS and web server activity for signs of exploitation, such as requests to newly created ASPX or PHP files as suggested in the rule’s Triage and Analysis section.
Enable Sysmon process creation logging to activate the rules above and provide detailed process execution data.
Implement the password rotation for affected service accounts as suggested in the rule’s Triage and Analysis section.

Microsoft IIS Connection String Decryption via aspnet_regiis

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat involves the decryption of Microsoft IIS connection strings using the aspnet_regiis utility. An attacker who has gained unauthorized access to an IIS web server, typically through a webshell or similar exploit, can leverage this technique to extract sensitive information. The aspnet_regiis tool, a legitimate .NET utility, is misused to decrypt connection strings, which often contain hardcoded credentials for databases like MSSQL. This allows the attacker to potentially compromise service accounts and gain further access to the compromised network. The described behavior has been observed in relation to espionage campaigns targeting telecommunications in South Asia, as detailed by Symantec. Defenders should be aware that successful exploitation allows for lateral movement and data exfiltration.

Attack Chain

The attacker gains initial access to a Microsoft IIS web server, often through exploiting a vulnerability that enables webshell deployment.
The attacker uses the webshell to execute commands on the compromised server.
The attacker uses aspnet_regiis.exe with the -pdf or -pd options to decrypt the connectionStrings section of the web.config file.
The command aspnet_regiis.exe -pdf connectionStrings is used to decrypt the connection strings for a specific application.
The attacker retrieves the decrypted connection strings, which may contain usernames, passwords, and connection details for MSSQL or other databases.
The attacker uses the compromised credentials to access the database server and potentially other systems on the network, achieving lateral movement.
The attacker may then exfiltrate sensitive data from the database server.
The attacker uses gathered credentials to perform further actions or maintain persistence.

Impact

Successful exploitation can lead to the exposure of sensitive database credentials, allowing attackers to access and exfiltrate confidential information. This can result in significant data breaches, financial losses, and reputational damage. Depending on the compromised accounts’ privileges, attackers could gain control over critical systems and services. Compromised credentials may allow lateral movement to other systems and applications within the network.

Recommendation

Deploy the Sigma rule “Detect IIS Connection String Decryption” to your SIEM and tune for your environment to detect the usage of aspnet_regiis.exe with connection string decryption parameters.
Monitor process creation events for aspnet_regiis.exe with arguments containing connectionStrings, -pdf, or -pd (per the detection rule) to identify potential exploitation attempts.
Implement strict access controls on IIS web servers to limit the ability of attackers to execute arbitrary commands.
Review IIS web server configurations for weak or hardcoded credentials in connection strings and implement secure credential management practices.
Enable Sysmon process creation logging to capture command line arguments for executed processes and facilitate detection of malicious activity.

IIS HTTP Logging Disabled via AppCmd

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

Attackers with access to an Internet Information Services (IIS) server, potentially through a webshell or other compromised entry point, may disable HTTP logging as a defense evasion technique. This is typically achieved by using the appcmd.exe utility with specific arguments to modify the IIS configuration, preventing the server from recording HTTP requests and responses. Disabling logging makes it significantly harder for defenders to detect malicious activity, trace attacker actions, and perform effective incident response. This activity is a common tactic employed by threat actors to obscure their presence and maintain persistence within a compromised environment, particularly when deploying webshells or conducting lateral movement. This behavior is typically observed post-exploitation.

Attack Chain

Attacker gains initial access to the IIS server, possibly via a webshell or exploiting a vulnerability.
Attacker executes appcmd.exe to modify the IIS configuration.
The appcmd.exe command includes arguments to disable HTTP logging, such as /dontLog*:*True.
The command targets specific sites, applications, or the entire server depending on the attacker’s objectives.
IIS configuration files, such as applicationHost.config or web.config, are modified to reflect the changes.
HTTP logging is disabled, preventing the server from recording HTTP requests and responses.
Attacker performs malicious activities, such as deploying webshells, without generating HTTP logs.
Attacker maintains persistence and evades detection by preventing forensic analysis.

Impact

Successful disabling of IIS HTTP logging can severely impair incident response capabilities. Organizations may be unable to detect malicious activity within their web infrastructure, leading to prolonged compromises and increased damage. This technique can be particularly damaging when attackers deploy webshells or conduct lateral movement within the network. Without HTTP logs, tracing attacker actions and identifying compromised systems becomes significantly more challenging. The impact can range from data breaches to system downtime and reputational damage.

Recommendation

Deploy the Sigma rule “IIS HTTP Logging Disabled via AppCmd” to your SIEM to detect when appcmd.exe is used to disable HTTP logging.
Enable Sysmon process creation logging with Event ID 1 to capture the execution of appcmd.exe with the relevant arguments, enabling detection via the Sigma rules.
Investigate any alerts generated by the Sigma rule, focusing on the parent process of appcmd.exe and the user account under which it was executed.
Monitor for modifications to IIS configuration files (applicationHost.config, web.config) to detect unauthorized changes to logging settings.
Regularly review and validate the configuration of IIS HTTP logging to ensure it remains enabled and properly configured.

Microsoft IIS Service Account Password Dump via AppCmd

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

The Microsoft Internet Information Services (IIS) command-line tool, AppCmd, is used to manage IIS configurations. An attacker who gains access to an IIS web server, often through a web shell, can leverage AppCmd to dump sensitive configuration data, including application pool credentials. This involves requesting full configuration output or targeting specific credential-related fields, potentially exposing service account passwords in clear text. This activity is typically post-compromise and indicates an attempt to escalate privileges or move laterally within the network. The risk lies in the exposure of credentials that can be reused to access other systems or data.

Attack Chain

An attacker gains initial access to the IIS web server, commonly through exploiting a vulnerability or uploading a web shell (e.g., ASPX or PHP).
The attacker uses the web shell to execute commands on the server.
The attacker uses appcmd.exe to list the IIS configuration.
The appcmd.exe command includes arguments to display specific configuration sections related to credentials, such as application pool identities, process model settings, or connection strings. Examples of command line arguments used are /text:*password*, /text:*processModel*, /text:*userName*, /config, or *connectionstring*.
appcmd.exe outputs the requested configuration data to the console, which includes sensitive information like usernames and passwords in plaintext.
The attacker captures the output containing the credentials.
The attacker uses the acquired credentials to move laterally to other systems on the network or access sensitive data.

Impact

Successful exploitation can lead to the exposure of sensitive credentials, enabling attackers to perform lateral movement, privilege escalation, and data exfiltration. The number of potential victims is dependent on the scope of the attacker’s access and the configuration of the IIS server. Sectors commonly targeted include organizations that rely heavily on web applications and services, such as e-commerce, finance, and healthcare. If successful, the attacker can gain complete control over critical systems and data.

Recommendation

Enable Sysmon process creation logging to capture appcmd.exe execution with command-line arguments.
Deploy the Sigma rule Detect IIS AppCmd Credential Dumping to your SIEM and tune for your environment.
Monitor IIS and web server activity for signs of exploitation, such as requests to newly created ASPX or PHP files, requests containing command-execution parameters, or uploads to writable web paths.
Implement privileged access management (PAM) solutions to restrict the usage of service accounts.

Detection of IIS HTTP Logging Disabled via AppCmd.exe

hello@craftedsignal.io — Mon, 01 Jan 2024 00:00:00 +0000

This detection identifies the use of AppCmd.exe to disable HTTP logging on Internet Information Services (IIS) servers. The technique is significant as adversaries can use it to erase traces of their malicious activities. The detection focuses on process execution events logged by Endpoint Detection and Response (EDR) agents. By disabling HTTP logging, attackers can operate undetected, making it difficult to trace their actions and respond effectively to intrusions. The references indicate this technique has been observed in campaigns attributed to threat actors like OilRig, where IIS backdoors are used.

Attack Chain

Initial access to the system via exploitation of a vulnerability or compromised credentials.
Attacker gains a foothold on the IIS server.
The attacker executes appcmd.exe to modify IIS settings.
appcmd.exe is executed with parameters to disable HTTP logging, such as httplogging or dontlog:true.
The command modifies the IIS configuration, preventing HTTP request logs from being recorded.
The attacker performs malicious actions on the compromised server (e.g., web shell deployment, data theft).
With HTTP logging disabled, the attacker’s activities are not recorded in standard IIS logs, hindering forensic analysis.
The attacker maintains persistence and continues to exploit the compromised system.

Impact

Successful execution of this attack can lead to a significant reduction in visibility into attacker activities on IIS servers. The lack of HTTP logs hinders incident response efforts, making it difficult to identify the scope and nature of the compromise. This could lead to prolonged attacker presence, further data exfiltration, or deployment of malicious software. This technique is a common step to evade defenses.

Recommendation

Deploy the Sigma rule Detect IIS HTTP Logging Disabled via AppCmd.exe to your SIEM and tune for your environment.
Enable Sysmon process creation logging (Event ID 1) to capture command-line arguments of appcmd.exe.
Monitor process execution events for appcmd.exe with command-line arguments related to httplogging or dontlog:true.
Investigate any instances of appcmd.exe being executed by non-administrator accounts or unusual parent processes.
Review IIS configuration regularly for any unauthorized changes to HTTP logging settings.