CoursesAdvanced IIS Post Exploitation, Detection & Evasion

Advanced IIS Post Exploitation, Detection & Evasion

Recent APT activity has shown how rapidly exploits such as ToolShell and ProxyShell can be weaponised against Microsoft IIS servers hosting Exchange, SharePoint and other ASP.NET applications. State-sponsored groups commonly target public-facing IIS services to gain initial access and then deploy complex IIS frameworks, fileless web shells and malicious .NET assemblies for post-exploitation. Public reporting on these techniques has declined, leaving many analysts without current, practical experience analysing these compromises. This hands-on course combines development and forensic analysis. Students build a series of web shells, starting with a browser-driven subprocess shell and progressing to a modular IIS framework and controller modelled on real-world APT compromises. Each web shell is used to perform controlled attacks in a lab environment, then students acquire and analyse the resulting artifacts. By the end of the course, students will understand common IIS and ASP.NET attack vectors, exploitation paths and persistence mechanisms, and will be able to acquire and analyse memory, file system and registry artifacts produced by fileless and multi-file IIS tradecraft.

Enquire here
for Private Training

On-Demand

Live/Virtual

/Course Details

Advanced IIS Post Exploitation, Detection & Evasion

$1,590 USD

Buy Course

365 Day Access

105 Videos

15 Labs

30+ Hours of Content

/Course Trainer

Trainer

Adrian Justice

Adrian is a senior threat hunter in CrowdStrike's OverWatch team, specialising in Chinese and Russian APT compromises of Microsoft IIS web servers via web shells and malicious .NET assemblies. He has previously led complex, multi-agency investigations as an Incident Responder with the Australian Cyber Security Centre, responding to APT compromises of Australian Government departments and critical infrastructure, including the Copy-Paste Compromises. Adrian has presented at the Australian Cyber Security Conference, BSides Canberra and Fal.Con Las Vegas, in addition to running training events on IIS offensive and defensive operations. He currently holds the following certifications: GREM, GXPN, GPEN, OSCP and OSWE.

@zeroedtech

Fig. ACourse Syllabus

01.

Introduction

Lab Files and Downloads

IntroductionPreview

02.

Setup

Links & Resources

2.0 - Setup Introduction

2.1 - Attack and Analysis Workstation Setup

2.2 - Windows Server Setup

2.3 - Lab Setup

03.

IIS Fundamentals

Links and Resources

3.1 - IIS Fundamentals

3.2 - Components of IIS

3.3 - IIS Logs

3.3.1 - Logs Investigate Lab

3.3.2 - Logs Investigate Lab Solution

3.4 - Webserver Order of VolatilityPreview

3.5 - Webscripts

04.

Web Shells

Links and Resources

4.1 - Web ShellsPreview

4.2 - Web Shell Improvements

4.2.1 - Basic Web Shells Attack Lab

4.2.2 - Basic Web Shells Attack Lab Solution

4.3 - Web Shell Invesigations

4.4 - All in one shell

4.4.1 - All In One Shell Attack Lab

4.4.2 - All In One Shell Attack Lab Solution

4.5 - Web Shell Investigation

4.6 - Compilation Artifacts

4.6.1 - Compilation Artifacts Investigate Lab

4.6.2 - Compilation Artifacts Investigate Lab Solution

4.7 - Web Shell Investigation 2.0

05.

Web Shell Controllers & IIS Frameworks

Links and Resources

5.0 - Intro

5.1 - C# Concepts

5.2 - .NET Reflection

5.3 - Building a Reflection Based Web Shell

5.3.1 - Reflection Attack Lab

5.3.2 - Reflection Attack Lab Solution

5.4 - Trying what we know

5.5 - Investigating .NET Reflection

5.6 - Analysing IIS Memory Dumps

5.7 - Automating Memory Analysis

5.8 - Automating Extraction of Assemblies from Memory Dumps

5.9 - Publishing and Testing our Application

5.10 - Writing a Tasking Extractor

5.10.1 - Reflection Investigate Lab

5.10.2 - Reflection Investigate Lab Solution

5.11 - Conclusion

06.

Alternative Web Shells

Links and Resources

6.0 - Introduction

6.1 - Web Shell Request and Response Processing

6.2 - Enhancing our Web shell

6.3 - Lets Write a Web Shell Controller

6.4 - Finishing Our Controller

6.4.1 - Controller Attack Lab

6.4.2 - Controller Attack Lab Solution

6.5 - Investigation

6.5.1 - Controller Investigate Lab

6.5.2 - Controller Investigate Lab Solution

6.6 - IIS Frameworks

6.6.1 - IIS Frameworks Development

6.6.2 IIS Frameworks Assembly Caching

6.6.3 - IIS Frameworks Finishing Touches

6.6.4 IIS Frameworks Attack

6.7 - Analysing IIS Frameworks

6.7.1 - Frameworks Investigate Lab

6.7.2 - Frameworks Investigate Lab Solution

6.8 - Public Web Shell Controllers

6.8.1 - Antsword

6.8.2 - Godzilla

6.8.3 - Behinder

6.8.4 - Open Source Attack Lab

6.8.5 - Open Source Attack Lab Solution

6.8.6 - Open Source Investigate Lab

6.8.7 - Open Source Investigate Lab Solution

6.9 - Frosty Fruits

6.9.1 - Frosty Fruits Deep Dive

6.9.2 - Frosty Fruits Web Shell Identification

6.9.3 - Frosty Fruits Log Analysis

6.9.4 - Frosty Fruits Task Extraction

6.9.5 - Frosty Fruits Output Extraction

6.9.6 - Frosty Fruits Conclusion

6.9.7 - Frosty Fruits Behind the Scenes

07.

ViewState, It's Not a Bug, It's a Feature

Links and Resources

7.0 - If It Runs Code, It's a Shell

7.1 - The Trilingual Web Script

7.2 - Dynamic C# Compilation

7.3 - HTTP Listener

7.4 - Custom Handlers

7.5 - Alternative Handlers

7.6 - Custom Page

7.7 - Ghost Shell

7.8 - IIS Module

08.

Advanced Investigation and Exploitation Techniques

Links and Resources

8.1 - Viewstate, It's Not a Bug, It's a Feature

8.2 - Deserialisation Exploits

8.3 - Preparation

8.4 - Viewstate Exploitation

8.4.1 - View State Attack Lab

8.4.2 - View State Attack Lab Solution

8.5 - Targeting Real World Applications

8.5.1 - Advanced ViewState Attack Lab

8.5.2 - Advanced ViewState Attack Lab Solution

8.6 - Artifacts

8.6.1 - View State Investigate Lab

8.6.2 - View State Investigate Lab Solution

8.6.3 - Advanced View State Investigate Lab

8.6.4 - Advanced View State Investigate Lab Solution

8.7 - Remediation

8.8 - Sharp Viewstate King

8.9 - Never Roll Your Own State Management

Advanced Investigation and Exploitation Techniques

9.1 - Debugging and Deobfuscation

9.2 - Deobfuscating ConfuserEx

9.3 - Bypassing AMSI and Removing Memory Artifacts

/Frequently Asked Questions

Advanced IIS Post Exploitation, Detection & Evasion

$1,590 USD

Buy Course

/More Courses

Attacking and Defending Azure & M365

on-demand

live

cloud

iOS Reversing & Exploitation ARM64

on-demand

offence

Advanced APT Threat Hunting & IR

on-demand

live

offence