When Internet Information Services (IIS) becomes a lateral movement platform 

Most attackers know that write access to an IIS web root can lead to code execution. Fewer realise that, when weaponised properly, IIS can become a powerful platform for lateral movement.  

This research shows how a single ASPX page can deliver full in memory native execution inside the trusted IIS worker process (w3wp.exe) – allowing stealthy execution and movement without a traditional on disk payload. 

In this paper, you’ll learn: 

• How IIS can be transformed from a web server into a post compromise execution platform 

• How a single ASPX file can enable fileless, in memory native code execution 

• Why IIS is a high value target for persistence and lateral movement 

• How modern attackers evade static detection by operating inside trusted processes 

• What defenders should monitor when fileless does not mean invisible 

Who it’s for: 

• Red teamers looking for realistic, low noise lateral movement techniques 

• Blue teamers and SOC analysts investigating fileless execution in IIS environments 

• Threat hunters focused on memory resident activity in trusted Windows processes