Using Log Parsing to Stop Microsoft IIS Backdoor Attacks
Chances are you’ve heard of Microsoft’s Internet Information Services, (more commonly known as IIS) as it’s one of the most popular web servers in the world, boasting a user base of over one million websites and included in the tech stack of nearly 6,000 companies. Being popular is great, but it also means becoming a bigger target — just ask Microsoft, who recently warned users about the growing trend of threat actors planting backdoors into Exchange servers via IIS extensions.
Many of these attacks started with the exploitation of a vulnerability to gain initial access, followed by the deployment of a web shell as the initial payload. After that, the IIS extension is installed to serve as a backdoor and provide covert, unauthorized access to the server and a means of persistence.
Why IIS extensions, though? There’s little difference between the malicious and legitimate files, and they are buried several levels down on the server in the same location as normal extensions. These factors make for a low detection rate and a perfect recipe for long-term persistence.
There’s some good news, however — Microsoft has published several indicators of compromise which can help detect such attacks, as well as several rules that can be implemented. Control Validation Compass has also published a set of rules that could aid in catching malicious SQL
injections.
