2026-06-04 –, Track 2
What happens when an attacker gains ASPX webshell access on an IIS server locked to High or Medium Code Access Security (CAS) trust, configurations explicitly designed to prevent arbitrary code execution as Process.Start is blocked by default, unmanaged code is denied, and the sandbox restrictions holds. Our research proves otherwise. We systematically analysed the actual CAS policy files, not just the Microsoft documentation summaries, and discovered that multiple distinct C2 channels can be established using only managed .NET APIs that CAS permits. Under High trust levels, attackers get unrestricted file I/O, full outbound TCP/HTTP/DNS, and SQL connectivity. Under Medium Trust, which is supposed to be the restrictive option, both DNS and SQL connections are still permitted — two overlooked outbound data channels that appear nowhere prominently in Microsoft's documentation.
This talk presents a functional multi-channel C2 functionalities embedded in a single ASPX page that operates entirely within CAS boundaries, spawns zero child processes, generates no cmd.exe execution telemetry, and operates exclusively inside w3wp.exe worker process pool.
We cover the full journey: starting from building reflective loader leveraging full trust, exploring limitation of CAS for ASP.NET(4.x), and abusing lower trust's settings to establish multiple covert C2 communication.
1. The IIS Trust Level Landscape (5 min)
A quick primer on ASP.NET Code Access Security trust levels (Full, High, Medium, Low, Minimal), how they are configured via web.config, and why they still matter in 2026 considering the majority of enterprise IIS deployments run .NET Framework 4.x. We go beyond documentation summaries and walk through the real XML policy files (web_hightrust.config, web_mediumtrust.config). We present the complete permission maps for High and Medium trust, highlighting the critical gap: SecurityPermission(UnmanagedCode) is denied, but almost everything else — file I/O, networking, SQL, DNS is granted.
A technical explanation of why Process.Start is fundamentally blocked below Full Trust (it P/Invokes CreateProcess via kernel32.dll), why Assembly.Load(byte[]) does not provide a trust escalation path (loaded assemblies inherit the caller's sandbox), and why named pipes are also a dead end.
2. Phantom IIS reflective loader via ASP (10 min)
A introduction about phantom loader to reflectivly load unmanaged DLL with full trust mode and showcase insights and demonstrate a use case for a lateral movement. This is based on the released research https://github.com/zux0x3a/Phantom/blob/main/When%20IIS%20platform%20becomes%20an%20execution%20platform.pdf
3. Multi C2 channels covert communications over varient trust level (15 min)
The core of the talk. We demonstrate each channel with architecture diagrams and live examples:
- T1: TCP Channel — TcpClient connect-back with managed task execution
- T2: HTTP Beacon — WebClient-based polling C2 that blends with legitimate IIS traffic
- T3: SQL Dead Drop — Using the application's own database as a covert task queue (High + Medium Trust)
- T4: SMTP Exfiltration — Email-based data exfil through internal relays
- T5: DNS Exfiltration — Subdomain-encoded data exfil via Dns.GetHostEntry
5. Detection and Defence Guidance (5 min)
Red Teaming operational and actions blue teaming takeaway.
Cybersecurity expert with deep experience in red team operations, penetration testing, and security research. I began my research work in 2013 and have been recognized by leading technology companies including Sony, Microsoft, SAP, Facebook, and Yahoo for responsibly identifying and reporting security vulnerabilities. I currently work as a Red Team Specialist at Resillion and actively contribute to open‑source security projects on 0xsp Labs. My research has been referenced by industry publications such as Threatpost and BleepingComputer.