Unusual Web Config File Access

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Unusual Web Config File Access

Detects unusual access to the web.config file, which contains sensitive credential information such as database connection strings, machineKey validation/decryption keys, and SAML/OAuth token settings. Attackers can use the information extracted to forge malicious __VIEWSTATE requests for persistent RCE on the web server or pivot to the SQL server using exposed connection strings.

Rule type: new_terms

Rule indices:

logs-endpoint.events.file-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Resources: Investigation Guide

Version: 4

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Unusual Web Config File Access

Possible investigation steps

What process opened which "web.config" path, and what secrets could it expose?
Why: IIS, SharePoint, federation, or shared application configs can expose connection strings, MachineKey validation/decryption keys, and OAuth/SAML settings for ViewState forgery or credential pivots.
Focus: file.path, process.entity_id, process.executable, user.id, and host.id.
Implication: escalate when file.path points to SharePoint, federation, shared application, database-connected app, or another high-value IIS root; lower suspicion only when asset inventory or owner confirmation verifies a non-sensitive test path and later endpoint evidence stays inside that exact workflow.
Is the reader a recognized maintenance component or an anomalous binary?
Focus: process.executable, process.command_line, process.code_signature.subject_name, process.code_signature.trusted, and process.parent.executable.
Implication: escalate when the reader is unsigned, user-writable, renamed, or launched by a shell, script host, web worker, or remote-admin chain; lower suspicion when signer, path, command line, and parent match one recognized deployment, backup, scan, or web-maintenance component. Identity alone does not clear the read.
Do the account and lineage fit application maintenance on this host?
Focus: user.id, user.name, process.parent.executable, and process.Ext.ancestry.
Implication: escalate when the account lacks a web-admin, service, deployment, backup, or response role, the service identity is unexpected, or the parent is a shell, script host, web worker, or remote-admin tool; lower suspicion when identity, parent, and ancestry match one recognized workflow.
Did the same process enumerate or stage config secrets beyond one bounded read?
Focus: same-process file events by host.id and process.entity_id: event.action, file.path, and file.Ext.original.path; look for sibling "web.config", "applicationHost.config", backup or copied configs, script output, web-shell files, or archives. !{investigate{"description":"","label":"File events for the same process","providers":[[{"excluded":false,"field":"event.category","queryType":"phrase","value":"file","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
Implication: escalate when the process walks multiple site roots, opens server-wide config, reads backups, or writes collection/web-shell artifacts; lower suspicion when file activity stays inside one expected application path with no copy, archive, or helper-file staging.
Did direct child process activity show extraction, staging, or attempted use of exposed secrets?
Why: shell or encoded PowerShell chains can collect config contents, extract MachineKey material, or stage a web shell.
Focus: direct child process events on host.id where process.parent.entity_id matches process.entity_id: process.executable, process.command_line, and process.parent.executable. !{investigate{"description":"","label":"Direct child process events","providers":[[{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
Hint: expand manually from direct children into deeper descendants or the recovered process tree.
Implication: escalate when children or descendants include "cmd.exe", PowerShell, archive tools, database clients, web-shell writers, or commands referencing MachineKey, validation keys, decryption keys, config copies, or archive staging; absent child events lower immediate-use concern only if the reader, path, and file pattern are already bounded.
If local evidence is suspicious or unresolved, does endpoint telemetry show broader config access or staging by the same user or host?
Focus: same-user.id file events with file.path values showing additional config reads, copied configs, script output, web-shell files, or archives. !{investigate{"description":"","label":"File events for the same user","providers":[[{"excluded":false,"field":"event.category","queryType":"phrase","value":"file","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
Hint: if the user identity is shared or sparse, review same-host.id and user.id process events: process.executable, process.command_line, and process.Ext.ancestry. !{investigate{"description":"","label":"Process events for the same host and user","providers":[[{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
Implication: expand scope when either view shows additional config reads, collection artifacts, staged scripts, or suspicious administration around the read window; keep the case local only when broader endpoint telemetry shows no additional staging and local evidence fits one exact workflow.
Escalate when path, reader identity, lineage, same-process file behavior, child/descendant behavior, or related alerts indicate unauthorized config access or secret staging; close only when path, process, user/session, lineage, and same-process file evidence bind to one recognized maintenance, deployment, backup, or response workflow and outside confirmation verifies legitimacy telemetry cannot prove; preserve artifacts and escalate when evidence is mixed or incomplete.

False positive analysis

AV/EDR products may open web.config during scans. Confirm trusted-signed AV binary, SYSTEM or service account, and no same-process config copy, archive, or staging.
Deployment, backup, scanning, or IR workflows can open web.config. Confirm process.executable, signer, parent, file.path, user.id, and host.id align with one workflow, with no config copy, archive, web-shell, shell descendants, or broader enumeration. Do not close on historical similarity alone.
Build exceptions from process.executable, signer, parent, exact file.path root, user.id, and host.id. Avoid exceptions on "web.config" or host alone. For this new-terms rule, keep first-time cases as candidates until confirmed repeats show the same workflow.

Response and remediation

If confirmed benign, reverse temporary containment and document which evidence proved the workflow: reader identity, parent lineage, file.path, user.id, host.id, and same-process file pattern. Create an exception only for the independently confirmed minimum workflow, not for "web.config" broadly.
If suspicious but unconfirmed, preserve the alert details, process tree, same-process file timeline, targeted config path, suspected copies, archives, script output, web-shell files, and case notes before containment. Apply reversible containment first, such as heightened monitoring, temporary account restrictions, or temporary outbound controls; isolate the host only if copied config, web-shell creation, or secret reuse is confirmed and service impact is acceptable.
If confirmed malicious, preserve the reader process instance, parent chain, targeted file.path, copied or staged config, script output, web-shell files, archives, and case notes before containment. Then contain the affected host or account based on the unauthorized reader, high-value path, enumeration, staged artifacts, or descendant process evidence, and record those identifiers before terminating processes or deleting files.
Rotate secrets exposed through the targeted file.path, including database credentials, MachineKey validation/decryption keys, OAuth/SAML secrets, and shared service-account credentials. Prioritize production, internet-facing, and shared application secrets.
Eradicate only the webshells, scripts, copied configuration files, archives, persistence mechanisms, and altered application files identified during the investigation; restore affected application configuration from known-good state and remediate the initial access or privilege path that allowed the read.

Setup

edit

Setup

This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

Rule query

edit

event.category:file and host.os.type:windows and event.action:open and
  file.name:"web.config" and file.path : *VirtualDirectories* and
  not process.executable: (
        "C:\Program Files\Microsoft Security Client\MsMpEng.exe" or
        "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" or
        "C:\Windows\System32\MRT.exe" or
        "C:\Windows\System32\inetsrv\w3wp.exe"
  )

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Unsecured Credentials
- ID: T1552
- Reference URL: https://attack.mitre.org/techniques/T1552/
Sub-technique:
- Name: Credentials In Files
- ID: T1552.001
- Reference URL: https://attack.mitre.org/techniques/T1552/001/
Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
Technique:
- Name: Data from Local System
- ID: T1005
- Reference URL: https://attack.mitre.org/techniques/T1005/

« NTDS Dump via Wbadmin Wireless Credential Dumping using Netsh Command »