IIS Configuration Files Under Attack

Tuesday, August 30, 2016 @ 10:08 AM gHale


PowerShell scripts are in the process of being used to steal access credentials stored in IIS configuration files, researchers said.

The attacks occurred over this month on an infected machine, already compromised by an attacker, who managed to save a web shell on that workstation.

RELATED STORIES
Attackers Target Enterprises Through Tool
Hackers Target Industrial Companies
Network Monitoring: Keeping an Eye on IIoT
Network Monitoring Partnership

The attacker used this access to upload and then execute a PowerShell script that searches for web.config files, the standard filename given to Microsoft Internet Information Server (IIS) configuration files, said researchers at SecureWorks.

IIS web.config files often store credentials for other connected services as connectionStrings entries. In most cases, these are for Microsoft SQL servers, but other credentials for other services also end up stored this way.

The PowerShell script would copy the content of a connectionStrings entry to the local /TEMP folder. If the data ended up encrypted, the PowerShell script would also use the aspnet_regiis.exe file.

The script’s purpose is to escalate access to other resources running on the victim’s network.

Attackers most likely went after the victim’s database since that is where most of the valuable data ends up stored.