top of page

Malicious IIS extensions quietly open persistent backdoors into servers

Attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers, which hide deep in target environments and provide a durable persistence mechanism for attackers. While prior research has been published on specific incidents and variants, little is generally known about how attackers leverage the IIS platform as a backdoor.

ATT&CK IDS: T1059 - Command and Scripting Interpreter, T1114 - Email Collection, T1176 - Browser Extensions, T1505 - Server Software Component, T1547 - Boot or Logon Autostart Execution, T1047 - Windows Management Instrumentation, T1003 - OS Credential Dumping, T1055 - Process Injection, T1021 - Remote Services, T1027 - Obfuscated Files or Information, T1127 - Trusted Developer Utilities Proxy Execution

Read More:

1 view


Commenting has been turned off.
bottom of page