Detection rules › Splunk
Windows Identify PowerShell Web Access IIS Pool
This analytic detects and analyzes PowerShell Web Access (PSWA) usage in Windows environments. It tracks both connection attempts (EventID 4648) and successful logons (EventID 4624) associated with PSWA, providing a comprehensive view of access patterns. The analytic identifies PSWA's operational status, host servers, processes, and connection metrics. It highlights unique target accounts, domains accessed, and verifies logon types. This information is crucial for detecting potential misuse, such as lateral movement, brute force attempts, or unusual access patterns. By offering insights into PSWA activity, it enables security teams to quickly assess and investigate potential security incidents involving this powerful administrative tool.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1190 Exploit Public-Facing Application |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4624 | An account was successfully logged on. |
| Security-Auditing | 4625 | An account failed to log on. |
| Security-Auditing | 4648 | A logon was attempted using explicit credentials. |
Stages and Predicates
Stage 1: search
search (EventCode=4624 OR EventCode=4625 OR EventCode=4648) SubjectUserName="pswa_pool"
Stage 2: fields
fields Computer, EventCode, LogonType, ProcessName, SubjectUserName, TargetDomainName, TargetUserName
Stage 3: rename
rename
Stage 4: stats
stats
Stage 5: eval
eval ...
Stage 6: fields
fields "Connection Attempts", "Logon Types", "PSWA Host", "PSWA Process", "Successful Logons", "Target Servers List", "Target Users List", "Unique Target Accounts", "Unique Target Domains", "Unsuccessful Logons", PSWA_Running
Stage 7: search
search
Stage 8: search
search
Stage 9: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
SubjectUserName | eq |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
- Multiple Logon Failure Followed by Logon Success
- Potential Computer Account NTLM Relay Activity
- Potential Kerberos Relay Attack against a Computer Account
- Potential NTLM Relay Attack against a Computer Account
- Remote Windows Service Installed
- Suspicious Service was Installed in the System
- Service Creation via Local Kerberos Authentication
- Hacktool Ruler
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.
- Hacktool Ruler
- Metasploit SMB Authentication
- Multiple Logon Failure Followed by Logon Success
- Potential Computer Account NTLM Relay Activity
- Potential Kerberos Relay Attack against a Computer Account
- Potential NTLM Relay Attack against a Computer Account
- Windows Local Administrator Credential Stuffing