IIS Components

Information

• Name: IIS Components

• ID: T1505.004

• Tactics:

• Technique:

Introduction

IIS Components [T1505.004] is a sub-technique categorized under the MITRE ATT&CK framework's "Server Software Component" (T1505) technique. It specifically involves adversaries leveraging Microsoft Internet Information Services (IIS) components to execute malicious payloads, maintain persistence, or facilitate lateral movement within compromised environments. Attackers exploit IIS components due to their legitimate presence and trusted status, making malicious activities harder to detect and remediate.

Deep Dive Into Technique

Attackers exploiting IIS components typically leverage the inherent functionality and extensibility of Microsoft's IIS web server. IIS supports extensions and modules, which adversaries can abuse to execute malicious code and maintain persistence. Key technical details include:

• ISAPI Extensions and Filters: Attackers can deploy malicious Internet Server Application Programming Interface (ISAPI) DLLs that IIS loads directly, allowing arbitrary code execution and persistence.

• IIS Modules: Malicious modules can be installed through IIS's modular architecture, enabling attackers to intercept, monitor, or modify web traffic.

• Global Assembly Cache (GAC): Attackers may place malicious .NET assemblies in the GAC, enabling automatic loading and execution by IIS web applications.

• Web.config Modification: Attackers can alter IIS configuration files (web.config) to redirect traffic, execute malicious scripts, or enable unauthorized access.

• Application Pool Manipulation: Attackers may modify IIS application pools to run malicious processes or escalate privileges through IIS worker processes (w3wp.exe).

• IIS Backdoors: Attackers can deploy custom backdoors disguised as legitimate IIS modules or extensions, providing persistent remote access.

Real-world procedures typically involve initial compromise (such as exploiting web application vulnerabilities or credential theft), followed by deployment of malicious IIS components to maintain stealthy persistence or facilitate further attacks.

When this Technique is Usually Used

Attack scenarios and stages involving IIS components typically include:

• Persistence Stage: Attackers commonly use malicious IIS modules or extensions to establish long-term persistence, surviving reboots and updates.

• Privilege Escalation/Lateral Movement: IIS components can execute code under privileged accounts, facilitating privilege escalation or lateral movement within corporate networks.

• Command and Control (C2): Attackers may use compromised IIS components as covert communication channels, blending malicious traffic with legitimate web traffic.

• Reconnaissance and Credential Harvesting: IIS modules or filters may intercept sensitive web traffic, capturing credentials or sensitive data for further exploitation.

• Defense Evasion: Legitimate IIS components provide attackers camouflage, enabling them to evade detection by blending in with normal IIS operations.

How this Technique is Usually Detected

Detection of malicious IIS components involves monitoring IIS environments closely and identifying anomalies or unauthorized changes. Effective detection methods and indicators of compromise (IoCs) include:

• File Integrity Monitoring (FIM): Detect unauthorized changes to IIS configuration files (web.config), ISAPI DLLs, or module directories.

• IIS Logs Analysis: Regularly analyze IIS logs for unusual HTTP requests, unexpected module loading, or suspicious access patterns.

• Process Monitoring: Monitor IIS worker processes (w3wp.exe) for unusual behaviors, unexpected child processes, or anomalous resource usage.

• Endpoint Detection and Response (EDR) Tools: Utilize advanced endpoint security solutions capable of identifying suspicious DLL loading, memory injection, or anomalous IIS process behavior.

• Registry Monitoring: Monitor registry keys related to IIS module loading, ISAPI extensions, and GAC assemblies for unauthorized modifications.

• Network Traffic Monitoring: Detect unusual outbound connections from IIS servers, indicating potential C2 communications or data exfiltration attempts.

Specific IoCs to monitor include:

• Unexpected IIS modules or ISAPI DLLs appearing in IIS configuration.

• Unrecognized or unsigned DLLs loaded by IIS processes.

• Anomalous web.config file modifications redirecting traffic or enabling unauthorized access.

• Suspicious registry entries related to IIS extensions and modules.

• Unusual outbound network traffic originating from IIS web servers.

Why it is Important to Detect This Technique

Detecting malicious IIS components is crucial due to their potential impacts on organizational security and stability:

• Persistence and Stealth: IIS components provide attackers persistent and stealthy footholds, enabling long-term unauthorized access and control.

• Privilege Escalation: Malicious IIS modules may execute code with elevated privileges, facilitating further compromise of sensitive systems and data.

• Data Exfiltration: Attackers can intercept sensitive web traffic, capturing credentials, personal data, or proprietary information.

• Reputation Damage: Compromised IIS servers can serve malicious content to visitors, damaging organizational reputation and trust.

• Regulatory Compliance Violations: Undetected malicious IIS components may lead to breaches of regulatory standards, resulting in legal penalties and financial losses.

• Operational Disruption: Malicious IIS modules or extensions can disrupt legitimate web services, causing downtime, performance degradation, or loss of business continuity.

Early detection and remediation are essential to minimize these risks, limit attacker dwell time, and mitigate potential impacts to organizational assets and reputation.

Examples

Real-world examples demonstrate the practical use and impact of malicious IIS components:

• China Chopper Web Shell:

  • Attack Scenario: Attackers exploit web application vulnerabilities to deploy the China Chopper web shell, often embedded within IIS servers as .aspx files.

  • Tools Used: China Chopper web shell, custom IIS modules.

  • Impacts: Persistent remote access, data exfiltration, lateral movement within compromised environments.

• Exchange Server ProxyLogon and ProxyShell Exploits:

  • Attack Scenario: Attackers leveraged vulnerabilities such as ProxyLogon and ProxyShell to deploy malicious web shells and IIS modules for persistent access.

  • Tools Used: Custom web shells (.aspx), malicious IIS extensions.

  • Impacts: Persistent foothold, email data exfiltration, lateral movement, ransomware deployment.

• Malicious ISAPI Filters (e.g., RGDoor Malware):

  • Attack Scenario: Attackers installed malicious ISAPI filters on IIS servers to intercept and manipulate web traffic transparently.

  • Tools Used: RGDoor malware, custom ISAPI DLLs.

  • Impacts: Credential theft, data interception, covert command-and-control channels, persistent access.

• OWA (Outlook Web Access) Backdoor Modules:

  • Attack Scenario: Attackers compromised Exchange servers and deployed custom IIS modules to monitor and intercept user credentials and email traffic.

  • Tools Used: Custom IIS modules, malicious .NET assemblies.

  • Impacts: Credential harvesting, email data exfiltration, persistent access to sensitive communications.

These examples illustrate how adversaries effectively exploit IIS components to achieve persistent, stealthy access and cause significant damage to compromised organizations.