Back to Intelligence

OP-512 Web Shell Framework: Microsoft IIS Defense and Detection Strategies

SA
Security Arsenal Team
June 5, 2026
6 min read

Introduction

Security operations teams must urgently attend to a new threat cluster, OP-512, actively targeting Microsoft Internet Information Services (IIS) servers. ReliaQuest has assessed with moderate to high confidence that this activity is linked to China-based espionage actors. The threat involves deploying a bespoke, custom web shell framework designed to blend into legitimate traffic and maintain persistent access.

Unlike commodity malware, this custom framework indicates a tailored campaign against high-value assets. For defenders, this means traditional signature-based antivirus may fail. The window between initial compromise and data exfiltration in web shell attacks is often narrow. Immediate action is required to hunt for indicators of compromise (IoCs) and harden IIS environments against this sophisticated adversary.

Technical Analysis

Affected Products and Platforms:

  • Platform: Microsoft Windows Server versions running IIS.
  • Component: Internet Information Services (IIS) Web Server.

Threat Overview: OP-512 utilizes a custom-developed web shell framework, likely written in ASP.NET or leveraging native IIS modules, to gain remote code execution (RCE) capabilities on the target server. While the specific initial access vector (e.g., exploited vulnerability, stolen credentials) for OP-512 is not detailed in the current intelligence, the payload focus is a custom web shell.

Attack Chain and Exploitation Status:

  1. Initial Access: Adversaries gain access to the IIS server, potentially via unpatched vulnerabilities, brute force, or supply chain compromise.
  2. Persistence: A custom web shell is dropped into the web directory (e.g., C:\inetpub\wwwroot). Because it is "bespoke," it does not match known hashes of common web shells like China Chopper or Godzilla.
  3. Command and Control (C2): The shell communicates via HTTP/HTTPS, mimicking legitimate web traffic to bypass network firewalls.
  4. Execution: The w3wp.exe (IIS Worker Process) spawns child processes (cmd.exe, powershell.exe) to execute system commands on behalf of the attacker.

Exploitation Status: Confirmed active exploitation in-the-wild. This is not a theoretical risk; OP-512 is currently operational.

Detection & Response

Detecting OP-512 requires a shift from static signature matching to behavioral analysis. Since the web shell is custom, we must detect the behavior of the IIS worker process acting unusually.

SIGMA Rules

The following Sigma rules focus on the parent-child relationship between the IIS worker process and system shells, as well as uncommon network egress patterns.

YAML
---
title: OP-512 IIS Worker Process Spawning System Shell
id: 8a4b2c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the IIS worker process (w3wp.exe) spawning cmd.exe or powershell.exe, a common behavior of web shells like the OP-512 framework.
references:
  - https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
  - attack.persistence
  - attack.t1505.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\w3wp.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate administrative scripts running via IIS (rare, requires validation)
level: high
---
title: OP-512 IIS Worker Process Network Egress
id: 9b5c3d2e-6f7a-5b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the IIS worker process initiating outbound network connections to non-local private addresses, typical for web shell C2 beacons.
references:
  - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|endswith: '\w3wp.exe'
    Initiated: 'true'
  filter_standard_ports:
    DestinationPort not in:
      - 80
      - 443
      - 8080
  filter_private_ranges:
    DestinationIp|startswith:
      - '10.'
      - '192.168.'
      - '172.16.'
      - '127.'
      - '::1'
  condition: selection and not 1 of filter_*
falsepositives:
  - Legitimate IIS applications connecting to external APIs or database servers
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for process creation events where the IIS worker process is the parent. This is the most reliable method to catch the custom OP-512 framework in action.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where InitiatingProcessFileName == "w3wp.exe"
| where FileName in ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for processes spawned by w3wp.exe and checks for recently modified ASPX files in web directories that could be the web shell payload.

VQL — Velociraptor
-- Hunt for suspicious child processes of IIS Worker Process
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE ParentName =~ "w3wp.exe"
   AND Name IN ("cmd.exe", "powershell.exe", "pwsh.exe")

-- Hunt for recently modified ASPX/ASMX files in web roots
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs="C:/inetpub/**/*.aspx", "C:/inetpub/**/*.asmx")
WHERE Mtime > now() - 7d

Remediation Script (PowerShell)

This script aids in the investigation by identifying files in the IIS directory modified within the last 7 days (a common timeline for active intrusions) and checking for common web shell keywords. Note: Do not run this blindly on production servers without approval; it is a triage tool.

PowerShell
# OP-512 Triage Script for IIS Servers
# Checks for recently modified script files and suspicious keywords

$WebRoots = @("C:\inetpub\wwwroot", "C:\inetpub\ftproot")
$DaysToCheck = 7
$SuspiciousKeywords = @("System.Diagnostics.Process", "eval", "base64_decode", "Request.Form", "Request.QueryString")

Write-Host "[+] Scanning for script files modified in the last $DaysToCheck days..."

foreach ($Root in $WebRoots) {
    if (Test-Path $Root) {
        Get-ChildItem -Path $Root -Recurse -Include *.aspx, *.asmx, *.asp, *.ashx, *.config -ErrorAction SilentlyContinue | 
        Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-$DaysToCheck) } | 
        ForEach-Object {
            $File = $_
            $Content = Get-Content $File.FullName -Raw -ErrorAction SilentlyContinue
            $FoundKeywords = @()
            
            foreach ($Keyword in $SuspiciousKeywords) {
                if ($Content -match $Keyword) {
                    $FoundKeywords += $Keyword
                }
            }

            if ($FoundKeywords.Count -gt 0) {
                Write-Host "[!] SUSPICIOUS FILE FOUND: $($File.FullName)" -ForegroundColor Red
                Write-Host "    - Modified: $($File.LastWriteTime)"
                Write-Host "    - Matched Keywords: $($FoundKeywords -join ', ')"
            } else {
                Write-Host "[+] Recently Modified: $($File.FullName)" -ForegroundColor Cyan
            }
        }
    }
}

Write-Host "[+] Scan complete. Review findings for potential OP-512 web shells."

Remediation

If OP-512 activity is suspected or confirmed, take the following immediate steps:

  1. Isolation: Disconnect the compromised IIS server from the network immediately to prevent lateral movement or data exfiltration.
  2. Forensic Preservation: Acquire a memory image and disk clone of the server for full DFIR analysis. Do not rely solely on log files, as volatile evidence of the running web shell process will be lost upon shutdown.
  3. Credential Reset: Assume all credentials cached or used by the IIS application pool identity (often IIS AppPool\AppPoolName or a service account) are compromised. Reset these passwords immediately.
  4. Identify and Remove the Web Shell:
    • Locate the malicious file (usually recently modified script files in C:\inetpub).
    • Do not simply delete the file; analyze it to understand the persistence mechanism.
  5. Patch and Hardening:
    • Ensure the OS and IIS are fully patched. Although no specific CVE is cited for OP-512 in this report, web shells typically enter via unpatched services.
    • Restrict w3wp.exe execution capabilities. Configure Application Pool identities with the absolute minimum permissions required (Principle of Least Privilege).
    • Install the latest IIS URL Rewrite and Request Filtering rules to block common exploitation patterns.
  6. Validation: Monitor the environment closely for 30 days post-remediation to ensure no secondary persistence mechanisms remain.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemop-512microsoft-iisweb-shell

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action