Iis

A commodity BadIIS malware variant is fueling a thriving malware-as-a-service (MaaS) ecosystem for Chinese-speaking cybercrime groups, allowing them to execute malicious SEO fraud, hijack server content, and redirect traffic to illicit sites.

Attackers with access to IIS web servers may use the AppCmd command-line tool to dump sensitive configuration data, including application pool credentials, potentially leading to lateral movement and privilege escalation.

Detection of adversaries disabling HTTP logging on IIS servers using AppCmd.exe, potentially evading detection by removing evidence of their actions.

Detection of command-line tools executing from the IIS installation directory on Windows systems, potentially indicating exploitation of IIS-reliant software like Microsoft Exchange.

Adversaries may use PowerShell with specific commands to disable HTTP logging on Windows systems to evade detection and hinder forensic investigations.

An attacker with Microsoft IIS web server access can decrypt and dump hardcoded connection strings, such as MSSQL service account passwords, using the aspnet_regiis utility, potentially leading to credential compromise.

An attacker with IIS web server access via a web shell can extract service account passwords by requesting full configuration output or targeting credential-related fields using the AppCmd tool.

This analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers, allowing adversaries to evade detection by removing evidence of their actions.