EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

Windows IIS Server PSWA Console Access

This analytic detects access attempts to the PowerShell Web Access (PSWA) console on Windows IIS servers. It monitors web traffic for requests to PSWA-related URIs, which could indicate legitimate administrative activity or potential unauthorized access attempts. By tracking source IP, HTTP status, URI path, and HTTP method, it helps identify suspicious patterns or brute-force attacks targeting PSWA. This detection is crucial for maintaining the security of remote PowerShell management interfaces and preventing potential exploitation of this powerful administrative tool.

MITRE ATT&CK

T1190
initial-access

Detection Query

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
  WHERE Web.dest IN ("/pswa/*")
  BY Web.src Web.status Web.uri_path
     Web.dest Web.http_method Web.uri_query
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_iis_server_pswa_console_access_filter`

Author

Michael Haag, Splunk

Created

2026-02-25

Data Sources

Windows IIS

References

Tags

CISA AA24-241A
Raw Content
name: Windows IIS Server PSWA Console Access
id: 914ab191-fa8a-48cb-83a6-0565e061f934
version: 5
date: '2026-02-25'
author: Michael Haag, Splunk
data_source:
    - Windows IIS
type: Hunting
status: production
description: This analytic detects access attempts to the PowerShell Web Access (PSWA) console on Windows IIS servers. It monitors web traffic for requests to PSWA-related URIs, which could indicate legitimate administrative activity or potential unauthorized access attempts. By tracking source IP, HTTP status, URI path, and HTTP method, it helps identify suspicious patterns or brute-force attacks targeting PSWA. This detection is crucial for maintaining the security of remote PowerShell management interfaces and preventing potential exploitation of this powerful administrative tool.
search: |-
    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
      WHERE Web.dest IN ("/pswa/*")
      BY Web.src Web.status Web.uri_path
         Web.dest Web.http_method Web.uri_query
    | `drop_dm_object_name("Web")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_iis_server_pswa_console_access_filter`
how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed.
known_false_positives: False positives may occur if legitimate PSWA processes are used for administrative tasks. Careful review of the logs is recommended to distinguish between legitimate and malicious activity.
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
tags:
    analytic_story:
        - CISA AA24-241A
    asset_type: Web Server
    mitre_attack_id:
        - T1190
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
    cve: []
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/pswa/iis_pswaaccess.log
          sourcetype: ms:iis:splunk
          source: ms:iis:splunk