I've recently been experimenting with using .NET profilers to hook .NET functions under IIS and decided to write up a blog post while it was fresh in my mind

TOLLBOOTH: What's yours, IIS mine

12 months ago I presented a 3 hour course on attacking and defending Microsoft IIS servers to a packed room at BSides Canberra, today the 30+ hour version went live on @XintraOrg !

Not a bad read, I think they may be overanalysing a compiled webshell and its a shame they didn't get a memory dump but its great to see more companies talking about this stuff https://t.co/0EkBjcdAjn

After a bit more digging it look like its referenced in Microsoft.JScript, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a but not Microsoft.JScript, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a The later of which is used by my IIS

For years I've seen adversaries using the "unsafe" keyword in their JScript eval shells and assumed it was required to eval complex statements (i.e code), but after trying to work out what it actually does for some training I'm working on I found it does nothing! Its unreferenced

It put my life on hold for a month and I'm very sleep deprived but thanks for the great CTF @HuntressLabs @_JohnHammond @HuskyHacksMK @_BensonBoy23 @sudo_Rem @IzzyBoopFPV @Kaspertame #HuntressCTF

Thank you to everyone who attended my training session and a massive thanks to @BSidesCbr for providing me the opportunity to run it. The slides and any code we used can be found here https://t.co/TtNZX8sBzC I'd love any feedback on the session

For those planing to attend my "Attacking and Defending Microsoft IIS" training session at @BSidesCbr next week, checkout the following post for the list of recommended software to have reaady to go https://t.co/XbIgYy1Lxr See you all Friday

Defender seems interested in my upcoming BSides Canberra training on Attacking and Defending Microsoft IIS Training

I'll be running a free 3 hour training session at @BSidesCbr teaching people how to defend IIS servers by learning how to attack them. I'll be posting recommended host setups closer to the event so be sure to give me a follow. https://t.co/ljEpNTX3BK

How much do you know about IIS Machine Keys and View State? Are you confident you could not only identify an exploited host but also remediate it? If not, check out my new blog post which covers exploitation, detection and remediation https://t.co/TjZ8Qgjz7q

If you've ever wondered what those weird "App_Web_das2318.dll" files on IIS servers are, I've written a blog post detailing where their names come from, what they do and the forensic benefits they can provide https://t.co/pqgJaByuSo This is the first in a series of IIS posts

We're people really ignoring virus alerts on Server 2019 enough that we needed a danger dog added to them?

"Bringing Harmony to IIS: Using game mods to protect (or nuke) your web server", Adrian Justice

Is it hackback if you tamper with what an adversaries code sends back to their C2? Defensive part of my #bsidescbr presentation is done, onto the offensive side.

And one for the red teams 😁

The IIS mods for #bsidescbr are coming together. These screenshots show the interception of a directory listing payload being run via a chinachopper shell

If you're going to make mods for IIS, why not make a mod loader that injects into IIS and bootstraps the whole process?

"Bringing Harmony to IIS: Using game mods to protect (or nuke) your web server" by Adrian