Microsoft Threat Intelligence identified a threat actor exploiting publicly disclosed ASP.NET machine keys to perform ViewState code injection attacks. This technique enables attackers to inject malicious code into web applications, leading to remote code execution on IIS servers. In December 2024, an attacker used this method to deploy the Godzilla post-exploitation framework, taking advantage of a machine key found in publicly available repositories.
ViewState is an ASP.NET feature that preserves web page state between postbacks, using machine keys (ValidationKey and DecryptionKey) to secure the data. Attackers who obtain these keys can craft malicious ViewState payloads and send them via POST requests to target IIS servers. When processed, these payloads execute arbitrary code on the server, providing remote code execution (RCE) capabilities.
In the observed attack, an adversary used a publicly available machine key to inject a malicious ViewState payload that loaded assembly.dll (SHA-256: 19d87910d1a7ad9632161fd9dd6a54c8a059a64fc5f5a41cf5055cd37ec0499d). This payload deployed the Godzilla post-exploitation framework, allowing further malicious activities such as command execution and shellcode injection.