#4 - IIS Port Usage
Question:
You’re observing a webserver with an active web shell. You see the w3wp process perform the following actions:
Open port 6666 before receiving a connection on it,
Send multiple connections to port 135,
and then send a final connection from port 6666.
Assuming the actor is using the default config for a tool. What tool may they be using? What are they trying to accomplish? Did this get patched?
This can be evidence of RottenPotato (or any of the Potato family) being used to elevate privileges. This technique tricks System to try and authenticate to an actor controlled process (port 6666), before generating an authentication token for System. This is also known as an NTLM relay attack.
This privilege escalation technique for IIS was patched with the release of Windows Server 2019. So older servers may still be vulnerable.
