By setting up an event handler on the BeginRequest, EndRequest, and Error event triggers, the actor can intercept all requests before the web service can process them and before the response is sent to the client. Log Request: When a request is about to be logged.Įvent handlers, which run when their associated trigger is fired, can allow an actor to essentially setup a proxy on the IIS server.End Request: When a response is about to be sent to the client.Begin Request: When a request is received by the webserver.
IIS modules have access to 27 event triggers by default, including:
#DART MICROSOFT CODE#
Event triggers provide opportunities for code to be called when specific actions happen. Malicious IIS modules techniques Event handlersĪ core part of IIS module functionality is event handling. This blog delves further into the capability to discuss the different capabilities that malicious IIS modules have access to. This allowed the actor to have minimal malicious indicators in the base IIS module, then load further capabilities as required.Ī more recent example was provided in a recent Microsoft blog, where the actor instead opted for child process execution rather than loading the capability directly into w3wp.exe. NET modules, which by extension, loads further. The vendor’s ICEAPPLE report details an IIS module that was used by an actor to reflectively load further. One of the first examples of sophisticated IIS modules was discovered in late 2021. Historical malware analysis shows how crimeware groups used IIS modules to intercept client logons and payment details by using the BeginRequest triggers to read user-provided parameters before the webserver processes them. The concept of malicious IIS has been around since at least 2013. The queries listed are not definitive detection queries, but rather a base query that you can build on to suit your specific environment. While we will cover Microsoft Defender for Endpoint detections in this blog, these detection methods should be tool agnostic. In this blog by Microsoft Detection and Response Team (DART), we aim to provide further guidance on detecting malicious IIS modules and other capabilities (such as logging) that you can use during your own investigations. IIS modules and the creation of persistent backdoors by malicious IIS modules has recently been addressed in the Microsoft Security blog titled Malicious IIS modules creating persistent backdoors. Monitoring for exploitation and web shells should be a high priority for all networks, and while these detection techniques are targeted towards malicious IIS modules, a lot of these techniques will also provide general web shell detections. Web servers provide an external avenue directly into your corporate network, which often results in web servers being an initial intrusion vector or mechanism of persistence. Web exploitation and web shells are some of the most common entry points in the current threat landscape. For more information on IR services, go to The Microsoft Detection and Response Team (DART) has been renamed to Microsoft Incident Response (Microsoft IR).
Microsoft Defender Cloud Security Posture Mgmt.Microsoft Defender Vulnerability Management.Microsoft Entra ID (Azure Active Directory).
0 kommentar(er)
