2024-11-23 –, Ngaio Marsh Theatre
Security controls such as endpoint detection and response (EDR) continue to mature, thereby increasing the amount of effort adversaries must invest to successfully execute intrusions, remain undetected and achieve their objectives. This presentation will cover techniques that red teams can use to perform post exploitation against web applications hosted by Microsoft’s Internet Information Services (IIS) while evading modern security controls. The concerns that come with using traditional “cmd.exe” web shells will be discussed before demonstrating more mature web shells which make use of reflective assembly loading and deserialisation.
The presentation will cover:
- Talk will reference real world experience conducting red team engagements
- Why traditional web shells that are dependent on executing child processes from the IIS worker process should be avoided
- Using reflection within ASPX to reflectively load assemblies for post exploitation
- Exfiltration of IIS machine keys to maintain persistence and achieve code execution through deserialisation
- Adaption of public tooling to build a “fileless” web shell which uses deserialisation to reflectively load assemblies
