This detection rule identifies attempts to use the 'aspnet_regiis.exe' command-line tool to decrypt Microsoft Internet Information Services (IIS) connection strings. The rule is particularly crucial as it can indicate unauthorized access and credential extraction attempts from web servers. An attacker gaining access to a Microsoft IIS web server (potentially through a web shell or other means) could utilize this command to retrieve sensitive information such as the passwords for database connections stored in configuration files. The detection is triggered by monitoring the process creation of 'aspnet_regiis.exe' when its command line includes both 'connectionStrings' and the ' -pdf' parameter, indicating an intent to decrypt and display the passwords. Proper monitoring and alerting on this activity are essential to protect against possible credential theft and subsequent lateral movement within an organization's infrastructure.