041. BadIIS: Hunting and Detection
Hello everyone! Today we'll talk about a sub-technique of T1505 - T1505.004: IIS Components. Again, it doesn't have lots of procedure examples in MITRE ATT&CK, so I'm exited to see it leveraged by real adversaries!
Recently Trend Micro published a report on a Chinese-speaking threat actor, which manipulates SEO to display unauthorized ads and distribute malware. To do it, the adversary exploited vulnerable IIS servers in order to install BadIIS.
Let's look at some detection and hunting opportnities. Let's start from stopping and starting IIS services. The adversary uses iisreset /stop and iisreset /start.
Next, the threat actors abused AppCmd to install BadIIS. So, it's a good idea to hunt for suspicious executions of appcmd.exe with install module.
Also, the adversary may want to modify the file attributes of BadIIS abusing attrib, for example, with the folowing parameters: +a +s +r +i +h.
See you tomorrow!
Comments
Post a Comment