process where host.os.type == "windows" and event.type == "start" and
(process.name : "appcmd.exe" or ?process.pe.original_file_name == "appcmd.exe") and
process.args : "/list" and process.args : "/text*password"
process.args : "/list" doesn't match the list command argument as described in Microsoft documentation.
To Reproduce
The rule doesn't detect appcmd list apppool /text:processmodel.password
Replacing process.args : "/list" with process.args : "list" in the rule fixes it
Describe the bug
The query of the Microsoft IIS Service Account Password Dumped rule is:
process.args : "/list"doesn't match thelistcommand argument as described in Microsoft documentation.To Reproduce
appcmd list apppool /text:processmodel.passwordprocess.args : "/list"withprocess.args : "list"in the rule fixes it