When Internet Information Services (IIS) becomes a lateral movement platform 

Most attackers know that write access to an IIS web root can lead to code execution. Fewer realise that, when weaponised properly, IIS can become a powerful platform for lateral movement.  

This research shows how a single ASPX page can deliver full inmemory native execution inside the trusted IIS worker process (w3wp.exe) – allowing stealthy execution and movement without a traditional ondisk payload. 

In this paper, you’ll learn: 

• How IIS can be transformed from a web server into a postcompromise execution platform 

• How a single ASPX file can enable fileless, inmemory native code execution 

• Why IIS is a highvalue target for persistence and lateral movement 

• How modern attackers evade static detection by operating inside trusted processes 

• What defenders should monitor when fileless does not mean invisible