← Library
kqlElastic-2.0from elastic/detection-rules

Unusual Web Config File Access

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1003T1552T1552.001T1005
Rule sourcerules/windows/credential_access_web_config_file_access.toml
event.category:file and host.os.type:windows and event.action:open and
  file.name:"web.config" and file.path : *VirtualDirectories* and
  not process.executable: (
        "C:\Program Files\Microsoft Security Client\MsMpEng.exe" or
        "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" or
        "C:\Windows\System32\MRT.exe"
  )