Attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers, which hide deep in target environments and provide a durable persistence mechanism for attackers. While prior research has been published on specific incidents and variants, little is generally known about how attackers leverage the IIS platform as a backdoor.
ATT&CK IDS: T1059 - Command and Scripting Interpreter, T1114 - Email Collection, T1176 - Browser Extensions, T1505 - Server Software Component, T1547 - Boot or Logon Autostart Execution, T1047 - Windows Management Instrumentation, T1003 - OS Credential Dumping, T1055 - Process Injection, T1021 - Remote Services, T1027 - Obfuscated Files or Information, T1127 - Trusted Developer Utilities Proxy Execution
Read More:
Comments