A recent security incident has revealed that over 3,000 publicly disclosed ASP.NET machine keys were exploited by hackers to execute remote code on IIS servers.
This attack utilized ViewState code injection techniques, allowing malicious actors to gain unauthorized access and deploy post-exploitation frameworks like Godzilla.
The breach highlights critical vulnerabilities in the way developers handle machine keys in web applications. ASP.NET machine keys are critical for securing ViewState data in web applications.
These keys, ValidationKey and DecryptionKey ensure the integrity and confidentiality of ViewState data.
However, researchers at Microsoft noted that many developers have copied these keys from public resources, such as online documentation or repositories, leaving their applications vulnerable.
Attack Chain
- ViewState Injection: Attackers craft a malicious ViewState payload using publicly disclosed machine keys.
- POST Request: The payload is sent to the target server via an HTTP POST request.
- Execution on IIS Server: The server decrypts and validates the payload using the compromised key, executing malicious code in the process.
In December 2024, Microsoft Threat Intelligence observed this technique being used to deploy the Godzilla framework—a powerful post-exploitation tool capable of executing commands, injecting shellcode, and more.
.webp)
The attackers used a malicious ViewState payload that loaded a .NET assembly (assembly.dll) reflectively into memory. Below is an example of how machine keys are defined in web.config files:-
If these keys are publicly disclosed or reused across applications, they can be exploited to inject malicious code.
Microsoft recommends rotating machine keys to mitigate risks. Below is a PowerShell script to generate new keys:-
function Generate-MachineKey {
param (
[string]$decryptionAlgorithm = 'AES',
[string]$validationAlgorithm = 'HMACSHA256'
)
process {
$decryptionObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
$decryptionObject.GenerateKey()
$decryptionKey = [System.BitConverter]::ToString($decryptionObject.Key).Replace("-", "")
$validationObject = New-Object System.Security.Cryptography.HMACSHA256
$validationObject.Key = (New-Object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes(64)
$validationKey = [System.BitConverter]::ToString($validationObject.Key).Replace("-", "")
Write-Output "To enhance security, organizations should rotate machine keys regularly using secure methods and avoid using keys copied from public resources.
It is also important to enable logging and monitoring by configuring auditing for web.config files and monitoring Windows Security Logs for unauthorized access attempts, specifically Event ID 4663.
Make sure to use Microsoft Defender Tools which can aid in detecting publicly disclosed keys through alerts like “Publicly disclosed ASP.NET machine key” and in investigating any suspicious activity using Microsoft Security Copilot.
Organizations must prioritize rotating machine keys, auditing configuration files, and leveraging advanced security tools to detect and mitigate such attacks.
Indicators of Compromise
- Malicious assembly (
assembly.dll) SHA-256 hash:19d87910d1a7ad9632161fd9dd6a54c8a059a64fc5f5a41cf5055cd37ec0499d - Alerts such as “IIS worker process loaded suspicious .NET assembly.”
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free