Article may be outdated

This article is 11 days old. Some details may have changed since publication.

Hacker News·5 min read·hard

Decrypting View State Messages

S
speckx
Decrypting View State Messages
AI Summary

This technical post explores the process of decrypting malicious 'view state' data found in Windows application logs. The author details the challenges of extracting machine keys from disk images and provides insights into the differences between legacy and modern IIS cryptographic configurations.

I recently had someone reach out to me with an interesting problem. They had found a 1316 event in their Windows application logs that contained a likely malicious view state. There was just one catch, it was encrypted. To make matters worse, all they had access to was a disk image of the host. After extracting the web.config file for the affected site, they found the compromised site had been configured with automatically generated keys. They were able to dump the autogen keys from the Windows registry, however they didn’t know how to use these to decrypt their view state.

Continue reading on Headlinne

Create a free account to read the full article.

Read full article →
technologyscience

Get the full story

Sign up for Headlinne to unlock AI insights, political bias analysis, and your personalized news feed.

Create free account

Already have an account? Sign in

Decrypting View State Messages — Headlinne — headlinne