Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
SessionManager malware is easily installed on Microsoft Internet Information Services (IIS) by exploiting well-known vulnerabilities such as ProxyLogon. SessionManager activity is associated with threat groups such as Gelsemium. An attacker can manipulate files, gain control of the server, maintain a persistent presence in the network, and steal data from any user that sends HTTP requests to the victim.
Kill Chain
Risk Score
88
The IIS web server enables users to access server data across local area networks and from the internet. IIS supports modules, which are extensions that enhance server functionality. Vulnerabilities, such as ProxyLogon in Microsoft Exchange Server, can be exploited to install SessionManager malware in IIS. SessionManager is a backdoor that masquerades as a legitimate IIS module, receiving HTTP requests from both the attacker and unsuspecting users. To run a command on the victim, the attacker sends an HTTP request with a malicious cookie that includes the command and an optional argument, such as SM_SESSION=PUTFILE;FILEPATH=. SessionManager accepts the malicious cookie, and the victim processes the command. SessionManager then forwards the command output to the attacker as an HTTP response.
