Microsoft IIS Connection Strings Decryption (97dbf6e2-e436-44d8-abee-4261b24d3e41)
Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Microsoft IIS Connection Strings Decryption (97dbf6e2-e436-44d8-abee-4261b24d3e41) | Sigma-Rules | OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) | Attack Pattern | 1 |