IIS Extensions Leveraged For Persistent Backdoors
Industry: N/A | Level: Tactical | Source: Microsoft
Microsoft 365 Defender Research Team identified an increase in activity with threat actors crafting malicious Internet Information Services (IIS) extensions to serve as backdoors into servers. Attacks with malicious IIS extensions have been commonly observed after an attacker drops a web shell onto the victim's server and exploiting publicly facing applications such as Microsoft Exchange. The IIS extensions enable persistence for the attacker and/or can support an attacker's objective such as monitoring inbound and outbound requests. The backdoor helps to facilitate an attack on a compromised environment with an attack chain involving the attacker running commands, dumping credentials, creating a tunnel for remote access, and exporting mailbox data.
Anvilogic Use Cases:
- IIS Worker (W3WP) Spawn Command Line
- Potential ProxyShell
- Exchange New Export Request