From d84019ce5a53a4c183557450e9f0aa0b1977fc87 Mon Sep 17 00:00:00 2001
From: Michael Haag <5632822+MHaggis@users.noreply.github.com>
Date: Mon, 30 Sep 2024 10:35:12 -0600
Subject: [PATCH] PSWA Updates

---
 ...ible_lateral_movement_powershell_spawn.yml |  1 +
 ...dentify_powershell_web_access_iis_pool.yml | 71 +++++++++++++++++++
 ...windows_iis_server_pswa_console_access.yml | 61 ++++++++++++++++
 stories/cisa_aa24_241a.yml                    |  3 +
 4 files changed, 136 insertions(+)
 create mode 100644 detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml
 create mode 100644 detections/web/windows_iis_server_pswa_console_access.yml

diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml
index ffa2ba48c5..f59d9d10de 100644
--- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml
+++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml
@@ -50,6 +50,7 @@ tags:
   - Hermetic Wiper
   - Data Destruction
   - Scheduled Tasks
+  - CISA AA24-241A
   asset_type: Endpoint
   confidence: 50
   impact: 90
diff --git a/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml b/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml
new file mode 100644
index 0000000000..dc39beb84b
--- /dev/null
+++ b/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml
@@ -0,0 +1,71 @@
+name: Windows Identify PowerShell Web Access IIS Pool
+id: d8419343-f0f8-4d8e-91cc-18bb531df87d
+version: 1
+date: '2024-09-09'
+author: Michael Haag, Splunk
+data_sources:
+- Windows Security 4648
+type: Hunting
+status: production
+description: This analytic detects and analyzes PowerShell Web Access (PSWA) usage in Windows environments. It tracks both connection attempts (EventID 4648) and successful logons (EventID 4624) associated with PSWA, providing a comprehensive view of access patterns. The analytic identifies PSWA's operational status, host servers, processes, and connection metrics. It highlights unique target accounts, domains accessed, and verifies logon types. This information is crucial for detecting potential misuse, such as lateral movement, brute force attempts, or unusual access patterns. By offering insights into PSWA activity, it enables security teams to quickly assess and investigate potential security incidents involving this powerful administrative tool.
+search: '`wineventlog_security` (EventCode=4648 OR EventCode=4624 OR EventCode=4625) SubjectUserName="pswa_pool"
+  | fields EventCode, SubjectUserName, TargetUserName, Computer, TargetDomainName, ProcessName, LogonType
+  | rename Computer as dest
+  | stats 
+      count(eval(EventCode=4648)) as "Connection Attempts",
+      count(eval(EventCode=4624)) as "Successful Logons",
+      count(eval(EventCode=4625)) as "Unsuccessful Logons",
+      dc(TargetUserName) as "Unique Target Accounts",
+      values(dest) as "PSWA Host",
+      dc(TargetDomainName) as "Unique Target Domains",
+      values(ProcessName) as "PSWA Process",
+      values(TargetUserName) as "Target Users List",
+      values(TargetServerName) as "Target Servers List",
+      values(LogonType) as "Logon Types"
+  | eval 
+      PSWA_Running = "Yes",
+      "PSWA Process" = mvindex(split(mvindex("PSWA Process", 0), "\\"), -1)
+  | fields PSWA_Running, "PSWA Host", "PSWA Process", "Connection Attempts", "Successful Logons","Unsuccessful Logons", "Unique Target Accounts", "Unique Target Domains", "Target Users List","Target Servers List", "Logon Types"
+  | `security_content_ctime(firstTime)` 
+  |`security_content_ctime(lastTime)`
+  | `windows_identify_powershell_web_access_iis_pool_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event logs, specifically Event ID 4648 (A logon was attempted using explicit credentials). Ensure that your Windows systems are configured to audit logon events and that these logs are being forwarded to your SIEM or log management solution. You may need to enable advanced audit policy settings in Windows to capture these events. Additionally, make sure that your environment is set up to capture the necessary fields such as SubjectUserName, TargetUserName, Computer, TargetServerName, and ProcessName from these events. If you're using Splunk, ensure that you have the appropriate Windows TA installed and configured to collect these security logs.
+known_false_positives: False positives may occur if legitimate PSWA processes are used for administrative tasks. Careful review of the logs is recommended to distinguish between legitimate and malicious activity.
+references:
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
+- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
+tags:
+  analytic_story:
+  - CISA AA24-241A
+  asset_type: Endpoint
+  confidence: 80
+  impact: 80
+  message: PowerShell Web Access (PSWA) activity detected on $dest$.
+  mitre_attack_id:
+  - T1190
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - EventCode
+  - SubjectUserName
+  - TargetUserName
+  - dest
+  - TargetServerName
+  - ProcessName
+  risk_score: 64
+  security_domain: endpoint
+  cve: []
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/pswa/4648_pswa_pool.log
+    sourcetype: XmlWinEventLog
+    source: XmlWinEventLog:Security
diff --git a/detections/web/windows_iis_server_pswa_console_access.yml b/detections/web/windows_iis_server_pswa_console_access.yml
new file mode 100644
index 0000000000..ff8d524563
--- /dev/null
+++ b/detections/web/windows_iis_server_pswa_console_access.yml
@@ -0,0 +1,61 @@
+name: Windows IIS Server PSWA Console Access
+id: 914ab191-fa8a-48cb-83a6-0565e061f934
+version: 1
+date: '2024-09-30'
+author: Michael Haag, Splunk
+data_sources:
+- Windows IIS
+type: Hunting
+status: production
+description: This analytic detects access attempts to the PowerShell Web Access (PSWA) console on Windows IIS servers. It monitors web traffic for requests to PSWA-related URIs, which could indicate legitimate administrative activity or potential unauthorized access attempts. By tracking source IP, HTTP status, URI path, and HTTP method, it helps identify suspicious patterns or brute-force attacks targeting PSWA. This detection is crucial for maintaining the security of remote PowerShell management interfaces and preventing potential exploitation of this powerful administrative tool.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Web where Web.dest IN ("/pswa/*")
+    by Web.src Web.status Web.uri_path Web.dest Web.http_method 
+  Web.uri_query | `drop_dm_object_name("Web")`| `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `windows_iis_server_pswa_console_access_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information
+  on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node.
+  In addition, confirm the latest CIM App 4.20 or higher is installed.
+known_false_positives: False positives may occur if legitimate PSWA processes are used for administrative tasks. Careful review of the logs is recommended to distinguish between legitimate and malicious activity.
+references:
+- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
+tags:
+  analytic_story:
+  - CISA AA24-241A
+  asset_type: Web Server
+  confidence: 80
+  impact: 40
+  message: Access to the PowerShell Web Access (PSWA) console detected from $src$.
+  mitre_attack_id:
+  - T1190
+  observable:
+  - name: src
+    type: IP Address
+    role:
+    - Attacker
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - Web.src
+  - Web.status
+  - Web.uri_path
+  - Web.dest
+  - Web.http_method
+  - Web.uri_query
+  risk_score: 32
+  security_domain: network
+  cve: []
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/pswa/iis_pswaaccess.log
+    sourcetype: ms:iis:splunk
+    source: ms:iis:splunk
diff --git a/stories/cisa_aa24_241a.yml b/stories/cisa_aa24_241a.yml
index 63f341a44f..3e5732f6e4 100644
--- a/stories/cisa_aa24_241a.yml
+++ b/stories/cisa_aa24_241a.yml
@@ -8,6 +8,9 @@ narrative: As of August 2024, Iran-based cyber actors continue to exploit organi
 references:
   - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
   - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
+  - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/want-remote-powershell-management-from-your-browser-see-how-pswa/ba-p/255764
+  - https://learn.microsoft.com/en-us/powershell/module/powershellwebaccess/?view=winserver2012r2-ps
+  - https://arz101.medium.com/hackthebox-acute-ee0308b9b443
 tags:
   category:
   - Adversary Tactics