“When web apps go rogue and .NET tools go dark arts…”
🌐 Once Upon a Time in IIS-Land…
In a lonely datacenter, deep beneath layers of legacy config and forgotten SSL certs, there lived a noble IIS worker process: w3wp.exe. He toiled day and night to serve .aspx files to the world. But one day… something evil slipped through a vulnerable upload form, cloaked as a humble file called shell.aspx. 😱
This is the story of how that mischievous payload transformed noble w3wp.exe into a black-hat warlock, summoning cmd.exe, conjuring up csc.exe, and invoking the elusive cvtres.exe—all in the name of cyber sorcery.
🏁 The Web Shell Ritual Begins
With a sneaky upload (think insecure file upload handler), the attacker places a malicious ASP.NET web shell on the server:
<%@ Page Language="C#" Debug="true" %>
<%
System.Diagnostics.Process.Start("cmd.exe", "/c whoami");
%>💥 BOOM. With a single request to that file, our innocent w3wp.exe spawns cmd.exe. The web server is no longer just serving web pages—it’s now a command execution puppet.
🧪 Enter: The LOLBin Laboratory (a.k.a. the .NET SDK)
What does any respectable adversary do after spawning a shell? Drop malware? Nah, that’s too old school. Instead, they turn to the Windows-native toolkit of LOLBins—Living Off the Land Binaries.
And for today’s magical spell, we need:
csc.exe: the C# compiler from the .NET Frameworkcvtres.exe: the resource alchemist behind the curtain
Here’s the abracadabra:
// payload.cs
using System;
class Program {
static void Main() {
System.Diagnostics.Process.Start("cmd.exe", "/c whoami > C:\\Users\\Public\\out.txt");
}
}Now compile it:
csc.exe /out:C:\Users\Public\payload.exe C:\Users\Public\payload.cs🔮 Poof! You’ve got a shiny new binary on disk, conjured with Microsoft-signed magic.
And yes, csc.exe calls its friend cvtres.exe to work behind the scenes like a good little familiar. You might spot it in your logs:
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" /readonly👀 Detection: Sniffing Out Sorcery
Want to catch this in action? You need a little threat hunting alchemy of your own. Here’s what to look for:
🧩 Weird Parentage:
w3wp.exespawningcmd.exe? 👀cmd.exespawningcsc.exe? DOUBLE 👀cvtres.exebeing triggered outside a development box? Sound the alarms! 🔔
🧬 Sample Sigma Rule:
parent_process: w3wp.exe
process_name: csc.exe OR cvtres.exe📁 File Drop Shenanigans:
Watch out for random .cs or .exe files appearing in:
C:\Windows\TempC:\Users\Public
🧙♂️ Command-Line Magic:
Alert on weird command lines like:
csc.exe /out:sus.exe sus.csOr scripts compiling themselves…
🛡️ Defense Against the Dark Arts
Let’s be honest: if your production web server needs csc.exe, you’ve got bigger problems. Here’s your magical protection spell book:
- AppLocker or WDAC
- Block
csc.exe,cvtres.exe, and other dev tools in production environments.
- Block
- Web App Hardening
- No script execution in upload folders. Like, ever.
- Don’t allow
.aspx,.php,.jspuploads unless you’re actively trying to get haunted.
- Monitor your LOLBins
- Set alerts on execution of
cmd.exe,powershell.exe,csc.exe, andcvtres.exefrom non-user initiated processes.
- Set alerts on execution of
- Network Segmentation
- IIS should not be able to phone home with its new payload friends.
- EDR Telemetry is Your Crystal Ball 🔮
- Use Defender for Endpoint, Sentinel, or your favorite XDR to track and correlate these events.
🎬 Final Thoughts
This technique is like Dark Souls for defenders: punishing, elegant, and unforgiving. But with the right detection spells and preventative hexes, you can banish the threat before it turns your web server into a malware forge.
So next time you see w3wp.exe getting cozy with cmd.exe, remember: it’s not just a worker process—it might be a dark wizard in disguise. 🧙♂️
Stay paranoid. Stay nerdy. And patch your damn web apps.
