Internet Information Systems (IIS) extensions to backdoor servers are increasingly being abused by threat actors as a means of establishing a “durable persistence mechanism.” This comes from a statement by the Microsoft 365 Defender Research Team who said, “IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules.” This approach begins with weaponizing a critical vulnerability in the hosted application for initial access, using this foothold to drop a script web shell as the first stage payload. The web shell then becomes the conduit for installing a rogue IIS module. It also is responsible for running remote commands and monitoring incoming and outgoing requests.
Using Microsoft Sentinel to Detect Confluence CVE-2022-26134 Exploitation
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is