Internet Information Systems (IIS) extensions to backdoor servers are increasingly being abused by threat actors as a means of establishing a “durable persistence mechanism.” This comes from a statement by the Microsoft 365 Defender Research Team who said, “IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules.” This approach begins with weaponizing a critical vulnerability in the hosted application for initial access, using this foothold to drop a script web shell as the first stage payload. The web shell then becomes the conduit for installing a rogue IIS module. It also is responsible for running remote commands and monitoring incoming and outgoing requests.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security