LoFP LoFP / false positives may occur if legitimate pswa processes are used for administrative tasks. careful review of the logs is recommended to distinguish between legitimate and malicious activity.

Techniques

Sample rules

Windows IIS Server PSWA Console Access

Description

This analytic detects access attempts to the PowerShell Web Access (PSWA) console on Windows IIS servers. It monitors web traffic for requests to PSWA-related URIs, which could indicate legitimate administrative activity or potential unauthorized access attempts. By tracking source IP, HTTP status, URI path, and HTTP method, it helps identify suspicious patterns or brute-force attacks targeting PSWA. This detection is crucial for maintaining the security of remote PowerShell management interfaces and preventing potential exploitation of this powerful administrative tool.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.dest IN ("/pswa/*") by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query 
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_iis_server_pswa_console_access_filter`

Windows Identify PowerShell Web Access IIS Pool

Description

This analytic detects and analyzes PowerShell Web Access (PSWA) usage in Windows environments. It tracks both connection attempts (EventID 4648) and successful logons (EventID 4624) associated with PSWA, providing a comprehensive view of access patterns. The analytic identifies PSWA’s operational status, host servers, processes, and connection metrics. It highlights unique target accounts, domains accessed, and verifies logon types. This information is crucial for detecting potential misuse, such as lateral movement, brute force attempts, or unusual access patterns. By offering insights into PSWA activity, it enables security teams to quickly assess and investigate potential security incidents involving this powerful administrative tool.

Detection logic

`wineventlog_security` (EventCode=4648 OR EventCode=4624 OR EventCode=4625) SubjectUserName="pswa_pool" 
| fields EventCode, SubjectUserName, TargetUserName, Computer, TargetDomainName, ProcessName, LogonType 
| rename Computer as dest 
| stats count(eval(EventCode=4648)) as "Connection Attempts", count(eval(EventCode=4624)) as "Successful Logons", count(eval(EventCode=4625)) as "Unsuccessful Logons", dc(TargetUserName) as "Unique Target Accounts", values(dest) as "PSWA Host", dc(TargetDomainName) as "Unique Target Domains", values(ProcessName) as "PSWA Process", values(TargetUserName) as "Target Users List", values(TargetServerName) as "Target Servers List", values(LogonType) as "Logon Types" 
| eval PSWA_Running = "Yes", "PSWA Process" = mvindex(split(mvindex("PSWA Process", 0), "\\"), -1) 
| fields PSWA_Running, "PSWA Host", "PSWA Process", "Connection Attempts", "Successful Logons","Unsuccessful Logons", "Unique Target Accounts", "Unique Target Domains", "Target Users List","Target Servers List", "Logon Types" 
| `security_content_ctime(firstTime)` 
|`security_content_ctime(lastTime)` 
| `windows_identify_powershell_web_access_iis_pool_filter`