| ID | Name |
|---|---|
| ATAGS-T1074.001 | IIS Components |
| ATAGS-T1074.002 | SQL Stored Procedures |
| ATAGS-T1074.003 | Terminal Services DLL |
| ATAGS-T1074.004 | Transport Agent |
| ATAGS-T1074.005 | vSphere Installation Bundles |
| ATAGS-T1074.006 | Web Shell |
Threat Actors may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.