Incident Response Report: IIS Server Compromise & AgentTesla Infection
Platform: CyberDefenders
Challenge: Lockdown
Category: Network Forensics
Difficulty: Easy
Tools: Wireshark, Volatility 3, FLOSS/Strings, VirusTotal
Achievement: Proof of Completion
1. Executive Summary
A forensic investigation was conducted on an Internet Information Services (IIS) web server following suspected malicious network activity. The investigation spanned network traffic analysis (PCAP), volatile memory forensics, and static/dynamic malware analysis. Findings indicate an external threat actor successfully performed network reconnaissance, exploited an open Server Message Block (SMB) share to upload a web shell, and established a reverse Command and Control (C2) connection. The attacker then achieved persistence and deployed AgentTesla, a well-known commodity Remote Access Trojan (RAT), to the target host.
This analysis is structured to trace the attacker’s movements through the Cyber Kill Chain, mapping specific behaviors to the MITRE ATT&CK Framework to provide a standardized understanding of the threat actor’s Tactics, Techniques, and Procedures (TTPs).
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|---|---|
| IPv4 | 10.0.2.4 | Attacker IP address (Reconnaissance, Delivery, C2) |
| Domain | cp8nl.hyperhost.ua | AgentTesla Command & Control (C2) server |
| Port | 4443 | Reverse shell listening TCP port |
| File | shell.aspx | Initial web shell payload |
| File Path | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\updatenow.exe | AgentTesla persistence location |
| SHA-256 | c25a6673a24d169de1bb399d226c12cdc666e0fa534149fc9fa7896ee61d406f | Packed AgentTesla executable (updatenow.exe) |
2. Phase 1: Reconnaissance & Weaponization (Network Analysis)
Objective: Analyze the provided capture.pcapng to identify the initial intrusion vector and payload delivery mechanism.
Q1: Origin of Reconnaissance Traffic
Objective: Identify the IP address initiating the port scan against the IIS server.
Artifact: capture.pcapng
Initial network baselining revealed a massive volume of connection attempts originating from an external IP address. Statistical analysis of the IPv4 endpoints showed 10.0.2.4 sending over 4,100 packets to the victim host (10.0.2.15), dwarfing normal traffic patterns.
Filtering the Conversations view confirmed a high-speed port scan designed to map open services on the IIS server. The volume of asymmetric traffic (thousands of extremely small packets originating from 10.0.2.4) is the classic signature of an automated Nmap SYN scan.
Answer:
10.0.2.4
Q2: Targeted Enumeration & MITRE ATT&CK Mapping
Objective: Identify the MITRE ATT&CK technique ID for the attacker’s network scanning behavior.
Artifact: capture.pcapng
Following the initial sweep, the attacker focused on identifying specific vulnerabilities within the open services, transitioning from broad reconnaissance to targeted enumeration. By examining the Wireshark Protocol Hierarchy, we observed significant activity targeting the SMB (Server Message Block) stack on port 445/TCP.
This behavior maps directly to MITRE ATT&CK Technique T1046, where adversaries attempt to get a listing of services running on remote hosts.
Answer:
T1046
Q3 & Q4: Initial Access, Share Probing, and Payload Delivery
Objective: Identify the probed SMB UNC paths and the name of the web payload dropped by the attacker.
Artifact: capture.pcapng
By filtering the traffic for the Server Message Block (SMB) protocol (smb2), we observed the attacker negotiating an SMB session. Analysis of the consecutive Tree Connect Requests revealed the attacker probing for accessible network shares. They logically started with the hidden inter-process communication share (IPC$) before targeting a standard user share (Documents).
Having identified a writable directory, the attacker initiated an SMB Write Request to drop their payload over the network.
The file, named shell.aspx and measuring approximately 1 MB, was placed in a web-accessible directory. As an .aspx file executed by the underlying IIS server, this granted the attacker Remote Code Execution (RCE) via a web shell.
Answer (Q3):
\\10.0.2.15\IPC$,\\10.0.2.15\Documents
Answer (Q4):
shell.aspx
Analyst Note:
Exposing SMB (port 445) to the public internet is a critical misconfiguration. The attacker successfully utilized an unauthenticated or weakly authenticated SMB share to bypass the web controls entirely, dropping an ASPX webshell directly into the IIS web root.
Q5: Command and Control (C2) Establishment
Objective: Identify the port the attacker’s reverse shell connected back to.
Artifact: capture.pcapng
Following the payload upload, the victim server (10.0.2.15) initiated an unprompted, outbound TCP connection back to the attacker (10.0.2.4). This connection was established over port 4443 immediately following the SMB Close Response for shell.aspx.
Attackers frequently utilize 4443 as it mimics standard HTTPS (443) traffic, increasing the likelihood of bypassing overly permissive egress firewall rules while still supporting encrypted payloads in tools like Metasploit.
Answer:
4443
3. Phase 2: Execution & Persistence (Memory Dump Analysis)
Objective: Analyze the memdump.mem file using the Volatility 3 framework to identify active malicious processes and persistence mechanisms.
Q6: Environment Baselining
Objective: Identify the Windows Kernel Base Address to ensure accurate memory parsing.
Artifact: memdump.mem (Volatility 3)
To accurately map the memory architecture, the Volatility 3 windows.info plugin was utilized. This successfully identified the OS as Windows 10 and located the Kernel Base Address, a crucial offset required for subsequent Volatility plugins to navigate the memory space correctly.
Answer:
0xf80079213000
Q7 & Q8: Process Tree Anomalies and Persistence
Objective: Identify the anomaly in the IIS worker process and the malware’s persistence mechanism.
Artifact: memdump.mem (Volatility 3 windows.pstree)
Execution of the windows.pstree plugin provided a hierarchical view of running processes, allowing us to spot execution anomalies. A critical deviation was identified within the IIS service stack. The legitimate IIS Worker Process (w3wp.exe, PID 4332) — which handles web requests and was actively executing the dropped shell.aspx webshell — was observed spawning an unrecognized executable named updatenow.exe (PID 900).
This confirms the outbound reverse shell traffic and subsequent malicious actions were running under the context of the compromised web server.
Further analysis of the process path revealed updatenow.exe was executing from the global Windows Startup folder. By placing the binary in this directory, the attacker ensured the malware would automatically execute upon every system boot or user logon, achieving stealthy persistence without the need for complex registry modifications.
Answer (Q8 - Spawning Process):
w3wp.exe
Answer (Q7 - Persistence Mechanism & MITRE ID):
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\updatenow.exeT1547
MITRE ATT&CK Reference:
This behavior maps to T1547.001 — Registry Run Keys / Startup Folder. It’s one of the oldest and most reliable persistence mechanisms in Windows environments.
4. Phase 3: Actions on Objectives (Malware Analysis)
Objective: Perform static analysis and leverage Threat Intelligence to analyze the dropped updatenow.exe binary.
Q9: Evasion and Obfuscation
Objective: Identify the packer used to obfuscate the AgentTesla binary.
Artifact: updatenow.exe
Static inspection of the updatenow.exe binary using basic string analysis (strings or FLOSS) revealed the presence of UPX0, UPX1, and UPX! section headers.
|  |
The attacker utilized UPX (Ultimate Packer for eXecutables) to compress and obfuscate the executable. This is a common defense evasion technique designed to hide plaintext strings (like C2 domains and API calls), alter the file hash, and bypass signature-based antivirus scanning.
Answer:
UPX
Q10 & Q11: Malware Identification & C2 Beaconing
Objective: Classify the malware family and its designated Command and Control FQDN.
Artifact: updatenow.exe
A SHA-256 hash of the binary was generated to query against Threat Intelligence databases like VirusTotal.
Querying this hash against VirusTotal revealed overwhelming consensus from security vendors (56/71 detections). Based on behavioral signatures, the unpacked payload is definitively classified as AgentTesla.
AgentTesla is a highly pervasive commodity Remote Access Trojan (RAT) and infostealer. It is primarily designed to act as a keylogger, capture screenshots, scrape clipboard data, and exfiltrate credentials from over 70 different applications (including web browsers, FTP clients, and email clients) on the victim’s machine.
Furthermore, community behavioral sandbox analysis (under the “Relations” tab on VirusTotal) of the unpacked payload revealed its C2 infrastructure. Upon execution, the malware attempts to resolve and beacon to its Command and Control domain to exfiltrate the stolen data.
Answer (Q10 - Contacted FQDN):
cp8nl.hyperhost.ua
Answer (Q11 - Malware Family):
AgentTesla
5. Summary & Remediation
The Lockdown Lab illustrates a highly effective, fast-moving attack exploiting basic perimeter misconfigurations. The investigation highlighted the severe risks of exposing internal administration services (SMB) to the internet, allowing attackers to completely bypass web application firewalls and access controls to drop execution payloads directly to disk.
The attacker leveraged this foothold to establish a covert reverse shell, gain persistence via the Windows Startup folder, and deploy a destructive commodity keylogger (AgentTesla) disguised with the UPX packer.
Remediation Steps:
- Perimeter Hardening: Immediately restrict external access to SMB (port 445/TCP) at the firewall edge. SMB should strictly be relegated to internal corporate networking or securely routed through a VPN.
- Containment: Isolate the server, kill the rogue
w3wp.exeprocess and itsupdatenow.exechildren, and remove the webshell (shell.aspx) and persistence artifacts from the Startup folder. - Egress Filtering: Implement strict outbound connection rules blocking non-standard ports (like 4443) that do not originate from approved proxy servers, mitigating simple reverse shell callbacks.
- Credential Reset: Given AgentTesla’s primary objective is credential harvesting, force a password rotation for any accounts active on or cached within the compromised system.