Hello,
I was wondering if someone could help me to better understand the following alert.
I have an alert of accessed restricted asset for the first time using c:\windows\system32\inetsrv\w3wp.exe. In this alert I have two logs using the service w3wp.exe with event code 4648 and two using the service: “advapi” with event code 4624. I have done some research online and I still can not figure out what was the user’s action to generate this alert. I wanted to better understand what is w3wp.exe, advapi and what was the user action.
When I’m researching asset authentications and see the service being used is advapi and/or w3wp, I always look for stored credentials within a browser, w3wp is the IIS worker process and advapi is another process that also goes with IIS. Take a look at any of the stored credentials within the asset’s browser and the system itself to see if there is anything that is outdated or wrong.
I would like to know if through the log I collected from the alert I can better understand how the user did the access/authentication.
In this case I can check the following information in the log: “logon_type”: “NETWORK”, “result”: “SUCCESS”, “service”: “advapi”, “eventCode”: 4624.
I would like to understand if the user did Runas, PowerShell, Remote Desktop, etc, to access this restricted machine.
Or how is the authentication done using w3wp.exe or advapi.
No worries! If it was a 4648 event code, that would indicate the runas possibility, but mor than likely it’s stored credentials or a service that is connecting via advapi for iis or something similar. If it was Remote Desktop, it would not be a Network logon, it would have been a Remote logon type in IDR.