Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified detection_rules/etc/beats_schemas/main.json.gz
Binary file not shown.
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.3.0/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.3.0/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_flat.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_nested.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/integration-manifests.json.gz
Binary file not shown.
Binary file modified detection_rules/etc/integration-schemas.json.gz
Binary file not shown.
4 changes: 2 additions & 2 deletions detection_rules/etc/stack-schema-map.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -150,11 +150,11 @@
endgame: "8.4.0"

"9.4.0":
beats: "9.3.3"
beats: "9.3.4"
ecs: "9.4.0-rc1"
endgame: "8.4.0"

"9.5.0":
beats: "9.3.3"
beats: "9.3.4"
ecs: "9.4.0-rc1"
endgame: "8.4.0"
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.6.31"
version = "1.6.32"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
Expand Down
25 changes: 24 additions & 1 deletion rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/08/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2026/04/21"
updated_date = "2026/05/04"

[rule]
author = ["Elastic"]
Expand All @@ -26,6 +26,28 @@ index = [
language = "eql"
license = "Elastic License v2"
name = "Microsoft IIS Service Account Password Dumped"
note = """ ## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating Microsoft IIS Service Account Password Dumped

This rule detects the IIS administration utility being launched to print full web server configuration or credential-bearing settings, which can expose application pool usernames, passwords, and connection strings in clear text. An attacker who lands on a Windows web server through a web shell can run the tool to enumerate process model settings, recover the service account password, and reuse those credentials for lateral movement or deeper access to backend systems.

### Possible investigation steps

- Review the process tree, executing user, logon session, integrity level, and remote-interactive context to determine whether the command was launched by an authorized administrator, a scripted maintenance task, or through a suspicious parent such as cmd.exe, powershell.exe, w3wp.exe, or a web shell.
- Build a short timeline on the host around the execution to identify adjacent discovery or credential-access activity, including archive or encode tools, file staging in web directories, registry access, and outbound connections to unusual internal or external destinations.
- Inspect recent IIS and web server activity for signs of exploitation, such as requests to newly created ASPX or PHP files, requests containing command-execution parameters, uploads to writable web paths, or authentication bypass behavior preceding the event.
- Determine which application pools, virtual directories, or connection strings were exposed, then review subsequent authentication and service activity for the recovered account on other systems to spot lateral movement, privilege escalation, or access to databases and file shares.
- If the activity is unauthorized, preserve the relevant IIS configuration and web content for forensics, search the environment for the same account or host communicating elsewhere, and prioritize password rotation for affected service accounts and secrets.

### False positive analysis

- An IIS administrator may legitimately run AppCmd to review application pool identities or troubleshoot authentication issues, so verify the command aligns with an approved maintenance window or change request and was launched by an expected administrative account.
- A scheduled server administration script may enumerate full IIS configuration or connection strings during backup, migration validation, or configuration auditing, so confirm the parent process and execution time match a known scheduled task or recurring maintenance pattern and that no suspicious follow-on activity occurred.
"""
references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"]
risk_score = 21
rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343"
Expand All @@ -42,6 +64,7 @@ tags = [
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
Expand Down
Loading