Server Software Component: Компоненты IIS
Other sub-techniques of Server Software Component (5)
Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version
, Http{Extension/Filter}Proc
, and (optionally) Terminate{Extension/Filter}
. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
Adversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)
Adversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule
, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)
Примеры процедур |
|
Название | Описание |
---|---|
RGDoor |
RGDoor establishes persistence on webservers as an IIS module.(Citation: Unit 42 RGDoor Jan 2018)(Citation: ESET IIS Malware 2021) |
IceApple |
IceApple is an IIS post-exploitation framework, consisting of 18 modules that provide several functionalities.(Citation: CrowdStrike IceApple May 2022) |
OwaAuth |
OwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (owaauth.dll). The IIS w3wp.exe process then loads the malicious DLL.(Citation: Dell TG-3390) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Execution Prevention |
Block execution of code on a system through application control, and/or script blocking. |
Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
Code Signing |
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. |
Обнаружение
Monitor for creation and/or modification of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules. Changes to %windir%\system32\inetsrv\config\applicationhost.config
could indicate an IIS module installation.(Citation: Microsoft IIS Modules Overview 2007)(Citation: ESET IIS Malware 2021)
Monitor execution and command-line arguments of AppCmd.exe
, which may be abused to install malicious IIS modules.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Unit 42 RGDoor Jan 2018)(Citation: ESET IIS Malware 2021)
Ссылки
- Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
- Hromcová, Z., Cherepanov, A. (2021). Anatomy of Native IIS Malware. Retrieved September 9, 2021.
- Microsoft. (2007, November 24). IIS Modules Overview. Retrieved June 17, 2021.
- MMPC. (2012, October 3). Malware signed with the Adobe code signing certificate. Retrieved June 3, 2021.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- Microsoft. (2017, June 16). Intercepting All Incoming IIS Requests. Retrieved June 3, 2021.
- Grunzweig, J. (2013, December 9). The Curious Case of the Malicious IIS Module. Retrieved June 3, 2021.
- Julien. (2011, February 2). IIS Backdoor. Retrieved June 3, 2021.
- Microsoft. (2017, June 16). ISAPI Filter Overview. Retrieved June 3, 2021.
- Microsoft. (2017, June 16). ISAPI Extension Overview. Retrieved June 3, 2021.
- CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
-
Microsoft. (2016, September 26). ISAPI/CGI Restrictions
. Retrieved June 3, 2021.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.