Notice: Due to size constraints and loading performance considerations, scripts referenced in blog posts are not attached directly. To request access, please complete the following form: Script Request Form Note: A Google account is required to access the form.
Disclaimer: I do not accept responsibility for any issues arising from scripts being run without adequate understanding. It is the user's responsibility to review and assess any code before execution. More information

Silent Sentries: Monitoring Web Interface Security Through Automated Validation

byartic6 -
0


When managing web-based interfaces, one fundamental principle cannot be overlooked: these critical management portals must be protected behind secure resources to ensure proper accountability, transparency, and monitoring. This isn't just about access control—it's about creating a comprehensive security posture that leaves no room for shadow operations.

Proactive Monitoring: Honeypot Set

While my initial approach used 15-minute intervals via Windows Task Scheduler, I quickly realized a fundamental flaw in this timing. The quickest interval available through Task Scheduler is 15 minutes—and 15 minutes is practically a lifetime to someone who knows what they're doing.

Consider what a determined perpetrator can accomplish in 15 minutes:

  • Change the security setting
  • Access the management interface from their unauthorized address
  • Perform whatever administrative tasks they intended
  • Change the configuration back to its secure state
  • Cover their tracks

By the time the next scheduled check runs, everything appears normal. The perpetrator operates undetected, having exploited that 15-minute window of opportunity.

Real-Time Continuous Monitoring

The solution became clear: move from scheduled intervals to continuous monitoring. Once the scheduled task starts, it runs perpetually, and the script itself manages the check intervals - defined in script as a variable.

# Continuous monitoring with intelligent throttling
param(
    [int]$CheckIntervalSeconds = 900,
    [int]$EmailCooldownMinutes = 60
)

# Email throttling to prevent inbox flooding
$script:lastEmailTime = $null
$script:cooldownPeriod = [TimeSpan]::FromMinutes($EmailCooldownMinutes)

function Test-EmailCooldown {
    if ($script:lastEmailTime -eq $null) {
        return $true  # No previous email sent
    }
    
    $timeSinceLastEmail = (Get-Date) - $script:lastEmailTime
    return $timeSinceLastEmail -gt $script:cooldownPeriod
}

With variable set intervals, the window of opportunity shrinks to practically nothing. By the time a perpetrator has changed the configuration and logged in, the alert will have already fired. The monitoring system becomes a real-time sentinel rather than a periodic patrol.

Smart Alert Management

Continuous monitoring introduces a new challenge: preventing email flooding. The solution involves intelligent throttling:

function Send-ThrottledAlert {
    param([array]$FailedServers, [array]$UnreachableServers)
    
    if (-not (Test-EmailCooldown)) {
        $timeRemaining = $script:cooldownPeriod - ((Get-Date) - $script:lastEmailTime)
        Write-Host "Email throttled. Next email available in $([math]::Round($timeRemaining.TotalMinutes, 1)) minutes." -ForegroundColor Yellow
        return $false
    }
    
    # Send immediate alert on first detection
    # Then enforce 60-minute cooldown period
}

Forensic Upgrade : Capturing RDP sessions during failure

The real genius lies not just in catching the configuration change, but in identifying exactly who was holding the metaphorical dynamite when it exploded. Enter the quser command—our digital roadrunner speed camera:

function Get-LoggedInUsers {
    param([string]$ServerName)
    
    try {
        # The ACME User Detector 3000
        $quserOutput = quser /server:$ServerName 2>$null
        
        if ($LASTEXITCODE -eq 0 -and $quserOutput) {
            $users = @()
            
            # Parse the evidence trail
            foreach ($line in $quserOutput[1..($quserOutput.Length-1)]) {
                if ($line.Trim()) {
                    $parts = $line -split '\s+', 5
                    if ($parts.Length -ge 4) {
                        $users += [PSCustomObject]@{
                            Username = $parts[0].Trim()      # The perpetrator's identity
                            SessionName = if ($parts[1] -eq '>') { "Console" } else { $parts[1].Trim() }
                            SessionId = if ($parts[1] -eq '>') { $parts[2].Trim() } else { $parts[2].Trim() }
                            State = if ($parts[1] -eq '>') { $parts[3].Trim() } else { $parts[3].Trim() }
                            LogonTime = if ($parts[1] -eq '>') { $parts[4].Trim() } else { $parts[4].Trim() }
                        }
                    }
                }
            }
            return $users
        }
    }
    catch {
        # Even when the coyote thinks they've cut the phone lines...
        Write-Verbose "ACME User Detector malfunction on $ServerName: $($_.Exception.Message)"
        return $null
    }
}

Why is this extra step beneficial?

Now when our security configuration changes, we don't just know that something happened—we know exactly who was remotely connected to the server when the ACME anvil fell:

# Enhanced detection with instant attribution
if ($response.Content -match [regex]::Escape($expectedString)) {
    $secureCount++  # All secure, roadrunner safe
} else {
    # ACME trap triggered! Get the perpetrator list
    $loggedInUsers = Get-LoggedInUsers -ServerName $server
    
    $failedServers += [PSCustomObject]@{
        Server = $server
        Status = "Configuration Compromised"
        Details = "Security denial message missing - unauthorized access possible"
        Url = $serverUrl
        LoggedInUsers = $loggedInUsers  # The smoking gun
        DetectionTime = Get-Date        # Exact moment of capture
    }
}

Forensic Evidence Report

When the dust settles and the smoke clears, our email report now reads with evidence based factual data:

🚨 vpn-gw-002 - USERS LOGGED IN:
👤 WILE.E.COYOTE | Session: Console | ID: 1 | State: Active | Since: 12/15/2024 2:30 PM
👤 ACME.ADMIN | Session: RDP-Tcp#2 | ID: 3 | State: Active | Since: 12/15/2024 2:45 PM

Just like the Road Runner's inevitable "BEEP BEEP" as he speeds past the coyote's latest contraption failure, our monitoring system now delivers its own message: we see you, we know who you are, and we know exactly when you were there.

Visual of the email Notification

First we start with the header that advises of the issue and which cycle the issue was detected as below:


Then we can see the server affected and the user that is logged into that server:

Task Scheduler Configuration

This does not control the interval of the check it just ensure the script is running after System reboot.

  • Trigger: At system startup
  • Action: Run PowerShell script continuously
  • Settings:
    • "Run whether user is logged on or not"
    • "Do not stop if runs longer than 3 days"
    • "If task is already running, do not start new instance"

Once started, the task runs perpetually, with the script managing its own 5-second check intervals. This eliminates the 15-minute vulnerability window entirely.

Illuminating the Shadows

By implementing automated validation of our security configurations, we've created a system that continuously verifies our defensive posture. More importantly, we've established a mechanism that makes shadow operations significantly more difficult to execute undetected.

The honey pot analogy is particularly apt—by creating an attractive target that appears vulnerable but is actually monitored, we can identify when someone attempts to exploit what they believe is a security gap.

The perpetrator might think they're being clever, but they're actually painting a giant target on themselves—complete with name, session details, and timestamp. In true ACME fashion, their own actions become the evidence that leads to their identification.

Tags
Previous Post Next Post

نموذج الاتصال