As time progresses, threat actors continue to discover novel ways to evade detection. Now that this technique has been discovered, it seems to be quite simple to detect; modify any preexisting IIS monitoring detections to search for keywords such as “wrde”, “exo”, and “cllo”. In this case, it may be better to search IIS log files being written to temp folders, since it would be relatively easy for malware operators to change these keywords. This highlights the need for a defense in depth strategy to detect numerous different tactics on the cyber kill chain with redundancy. Implementing such a strategy would ensure that even if a new, novel tactic is not detected, another portion of the actor’s activities will still be detected post-compromise.
https://www.bleepingcomputer.com/news/security/hackers-use-microsoft-iis-web-server-logs-to-control-malware/
