Look at me, I am the C2 Now: Weaponizing IIS server for Active Directory Post-Exploitation

Manish Kishan Tanwar&Rajat Singh

Security Consultant @ MDSec

LinkedInView Profile
Manish Kishan Tanwar

Talk Abstract

Have you ever wondered "how an attacker having a tiny foothold on an IIS box can launch post-exploitation inside an enterprise network without ever bringing their own tools to the party"? What started as a single challenge, evading detection while trying to land a Potato binary on a hardened host, became the seed of an entire offensive playbook. Somewhere in those challenging times, a thought surfaced, what if the web server was already our C2?

In this session, we will share how that one question reshaped the way we think about IIS post-exploitation, and inspired us to explore what an IIS web server is truly capable of inside an Active Directory environment. Out of that experimentation, we came up with a "Living Off the Web Server" playbook, covering enumeration, exploitation, and privilege escalation tricks inside an Active Directory environment executed entirely from inside the web server itself. The best part? No need to drop any publicly known offensive tools or any type of binaries.

This talk covers following techniques:
  1. **1. IIS Virtual Account to NT AUTHORITY\SYSTEM:** When dropped Potato binaries get killed by an AV/EDR, a few lines of ASPX code work the magic by requesting a certificate from AD CS or performing a Shadow Credentials attack, without using NTLM relay to AD CS or LDAP. No binaries or heavy code are used in this attack chain.
  2. **2. AD Objects Enumeration:**
    1. **a. LDAP Based:** Using custom ASPX code hosted on an IIS web server to enumerate Active Directory objects, including users, groups and computers, through LDAP while running under the IIS virtual account.
    2. **b. ADWS Based:** Switching from LDAP to ADWS for AD enumeration through ASPX to make our activities even "quieter", generating significantly fewer events in heavily monitored enterprise environments where every LDAP query is being watched.
  3. **3. ACL Abuse:** Performing ACL based AD exploitation through custom ASPX code over LDAP and ADWS, without using the infamous PowerView and net.exe based exploitation, because why bring your own weapons when the environment already has everything you need?
  4. **4. SCCM Exploitation:** We extended our IIS weaponization to target SCCM infrastructure, extracting NAA credentials using a minimal ASPX code and a Python script, proving that the attack surface is always bigger than it looks

About the Speakers

Manish Kishan Tanwar

Manish Kishan Tanwar

Security Consultant @ MDSec

Manish is interested in web app sec, network Pentest, cloud environment, Active Directory exploitation, and has a love of developing vulnerable labs and web shell in his spare time. Manish has published exploits and papers related to SQL Injection research on Exploit-DB platform.

Speaking experience:
  • SANS Hackfest 2022
  • SteelCon (UK) 2022
  • Blackhat MEA 2023
  • VulnCon 2024, 2025
  • MCTTP 2025
LinkedInView Profile
Rajat Singh

Rajat Singh

Senior Security Consultant @ KPMG

Rajat Singh works as a Senior Security Consultant at KPMG Global Service. His area of interest including web application penetration testing. He enjoys researching new attack methodology that can be used during external Network pentest activities.

Speaking Experience:
  • MCTTP 2025
  • OWASP AppSec Days Bangalore 2025
LinkedInView Profile