appcmd.exe

  • File Path: C:\Windows\SysWOW64\inetsrv\appcmd.exe
  • Description: Application Server Command Line Admin Tool

Hashes

Type Hash
MD5 137B6014673C5989313505F6439488F6
SHA1 1D2B77A97476BD7ED583963D9908AA979A803020
SHA256 CCD7E7635BD261815DFAC9AB6EDB52A9789C3275DB09EA86A964F0E395BDBA4A
SHA384 4CA12D654FE0ABD277AC470CEB0A9CBCC5672AB630FEBF6ED49B53F16EC85313B86499C20683D767CE6FD36716B5F1C9
SHA512 9578166A01E581922B3CA8297BDF0EC83C509A955CC353219243F7CB8B854D345F4F351766728DF822683F730F6904FDCE8CA6B458A7B83FEBF41C5F5EB8BE09
SSDEEP 3072:SG6KeyYBTpx2MJ1eEhyxiE8zB0we8lUvuDdpx7:CKdYZ2MJ1eEhyxiEOph

Runtime Data

Usage (stdout):

General purpose IIS command line administration tool.

APPCMD (command) (object-type) <identifier> </parameter1:value1 ...>

Supported object types:

  SITE      Administration of virtual sites
  APP       Administration of applications
  VDIR      Administration of virtual directories
  APPPOOL   Administration of application pools
  CONFIG    Administration of general configuration sections
  WP        Administration of worker processes
  REQUEST   Administration of HTTP requests
  MODULE    Administration of server modules
  BACKUP    Administration of server configuration backups
  TRACE     Working with failed request trace logs
  BINDING   Object for working with SSL bindings

(To list commands supported by each object use /?, e.g. 'appcmd.exe site /?')

General parameters:

/?               Display context-sensitive help message.

/text<:value>    Generate output in text format (default).
                 /text:* shows all object properties in detail view.
                 /text:<attribute> shows the value of the specified
                 attribute for each object.
/xml             Generate output in XML format.
                 Use this to produce output that can be sent to another
                 command running in /in mode.
/in or -         Read and operate on XML input from standard input.
                 Use this to operate on input produced by another
                 command running in /xml mode.
/config<:*>      Show configuration for displayed objects.
                 /config:* also includes inherited configuration.
/metadata        Show configuration metadata when displaying configuration.

/commit          Set config path where configuration changes are saved.
                 Can specify either a specific configuration path, "site",
                 "app", "parent", or "url" to save to the appropriate portion
                 of the path being edited by the command, "apphost", "webroot",
                 or "machine" for the corresponding configuration level.
/apphostconfig   Specify an alternate applicationHost.config file to edit.
/debug           Show debugging information for command execution.

Use "!" to escape parameters that have same names as the general parameters,
like "/!debug:value" to set a config property named "debug".

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\inetsrv\appcmd.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: appcmd.exe.mui
  • Product Name: Internet Information Services
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: Language Neutral
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\inetsrv\appcmd.exe 35

Possible Misuse

The following table contains possible examples of appcmd.exe being misused. While appcmd.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_iis_http_logging.yml Image\|endswith: \appcmd.exe DRL 1.0
sigma proc_creation_win_susp_iss_module_install.yml Image\|endswith: '\appcmd.exe' DRL 1.0
atomic-red-team T1562.002.md C:\Windows\System32\inetsrv\appcmd.exe set config “#{website_name}” /section:httplogging /dontLog:true MIT License. © 2018 Red Canary
atomic-red-team T1562.002.md if(Test-Path “C:\Windows\System32\inetsrv\appcmd.exe”){ MIT License. © 2018 Red Canary
atomic-red-team T1562.002.md C:\Windows\System32\inetsrv\appcmd.exe set config “#{website_name}” /section:httplogging /dontLog:false *>$null MIT License. © 2018 Red Canary
signature-base gen_empire.yar $x2 = “$PoolPasswordCmd = ‘c:\windows\system32\inetsrv\appcmd.exe list apppool” fullword ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s1 = “iex "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | % { “ fullword ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s2 = “iex "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | % { “ fullword ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s4 = “C:\Windows\System32\InetSRV\appcmd.exe list vdir /text:physicalpath | “ fullword ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s5 = “if (Test-Path ("$Env:SystemRoot\System32\inetsrv\appcmd.exe"))” fullword ascii CC BY-NC 4.0
signature-base gen_powershell_toolkit.yar $s6 = “if (Test-Path ("$Env:SystemRoot\System32\InetSRV\appcmd.exe")) {“ fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.