Microsoft claims that cybercriminals increasingly use IIS extensions for web server attacks. Web shells remain the most popular, but that’s exactly why IIS extensions go undetected. The tech giant warns administrators of the trend.

Web servers are leading for a company’s cybersecurity. Misconfigurations can give access to confidential data. In the worst case, the server accepts external files from unauthorized users, allowing cybercriminals to upload and execute code.

The code’s format differ per attack. Web shells are the most common. A web shell is a small file with instructions written in a common programming language. The web shell instructs a server to execute commands. Think of a command that fetches data, runs an application, or logs a user.

Web shells are extremely popular. That’s why most security tools know how to recognize and block the code. Cybercriminals seek new ways to stay under the radar. Successfully so, says Microsoft. The tech giant warns of the rise of malicious IIS extensions, an alternative to web shells.

IIS extensions and cybersecurity

Internet Information Services (IIS) is one of the most popular software for web servers. IIS runs on Windows Server and is comparable to Apache, Cloudflare Server and LiteSpeed.

In addition to major software updates, IIS regularly receives new extensions. The extensions add optional tools. For example, the ‘Administration Pack’ provides a visual interface for management functions.

According to Microsoft, malicious IIS extensions are increasingly common. Cybercriminals disguise malicious code in an IIS extension. At a glance, the code functions like an IIS extension, but in reality, the code jacks sensitive data and logs. Though web shells achieve the same goal, malicious IIS extensions can be harder to detect.


The tech giant urges IIS web server administrators to keep every server application up-to-date. Just like web shells, malicious IIS extensions need a vulnerability or misconfiguration to get in. Updating software removes most of the risk.

Microsoft further advises to regularly review whether suspicious accounts pop up in the user groups of a server. Cybercriminals often add new accounts to groups that grant high-level authorization.

Finally, Microsoft shared an overview of malicious IIS processes and files on its website, which administrators can use to scan for suspicious behaviour.

Tip: AWS anchors security even more firmly in cloud infrastructure