Loading (malicious) IIS Modules as backdoor can be detected! Make sure to enable 'Microsoft-Windows-IIS-Configuration/Operational' :) Tweet added by DebugPrivilege @DebugPrivilege

DebugPrivilege

2 years

Loading (malicious) IIS Modules as backdoor can be detected! Make sure to enable 'Microsoft-Windows-IIS-Configuration/Operational' :)

6

62

219

Grzegorz Tworek

@0gtweet

2 years

@DebugPrivilege But why use modules, if IIS can do the same without any single 3rd party binary?

1

2

15

DebugPrivilege

@DebugPrivilege

2 years

@0gtweet I don’t know 🤷‍♂️. Trying to tackle problem one by one. I was focusing on

IIS Raid – Backdooring IIS Using Native Modules - MDSec

Introduction Back in 2018, PaloAlto Unit42 publicly documented RGDoor, an IIS backdoor used by the APT34. The article highlighted some details which sparked my interest and inspired me to write...

www.mdsec.co.uk

1

10

Bhabesh

@bh4b3sh

2 years

@DebugPrivilege Important to note that IIS Configuration auditing (requires v 7.5+) is not enabled by default.

1

0

DebugPrivilege

@DebugPrivilege

2 years

@bh4b3sh Yes, I know. I just stated in the tweet to “enable” this.

0

2

WhyS

@wahyusas

2 years

@DebugPrivilege #cybersecurity #tweet @SaveToNotion

1

0

Bleon Proko

@gl4ssesbo1

2 years

@DebugPrivilege IIS Raid?

0

1

Harbulary Battery

@keydet89

2 years

@DebugPrivilege @cyb3rops IMHO, this might be valuable. "They staged the ransomware executable on a domain controller and then used BITSAdmin to download it to each system in the domain." Ques 1: Why was the DC running IIS? /1

3

1

3

Replies