Find sigma rule

Attack: OS Credential Dumping

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform Lateral Movement and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

MITRE

Tactic

credential-access

technique

T1003

Test : Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)

OS

windows

Description:

AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes. Reference

Executor

powershell

Sigma Rule

proc_creation_win_iis_appcmd_service_account_password_dumped.yml (id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test