This rule detects when the IIS command-line tool AppCmd is started on Windows and returns a full configuration output or targets credential-related fields, a common stage in credential dumping via IIS. Specifically, it triggers on Windows process start events for appcmd.exe with arguments that request configuration text or credentials, such as /text:*password*, /text:*processModel*, /text:*userName*, /config, or connection string references. The pattern covers either explicit text searches in the output or a broad /text:* output. By correlating the process name/original_file_name with these command-line arguments, the rule raises when an attacker with web shell access attempts to enumerate service account passwords stored in IIS configuration (application pool credentials or related settings). This maps to MITRE ATT&CK techniques T1003 (OS Credential Dumping) and T1552 (Unsecured Credentials, including T1552.001 Credentials In Files) under the Credential Access tactic. The rule is intended for Windows endpoints and ingests data from a variety of sources (e.g., Windows Security Event Logs, Sysmon, Defender XDR, SentinelOne, CrowdStrike, Endgame) to detect the behavior across multiple EDR/SOC platforms. It helps detect post-exploitation attempts that abuse IIS configuration exposure to exfiltrate credentials, enabling rapid containment and investigation of potential credential access via web-facing IIS components.