PowerShell 7 script to recursively scan IIS logs for signs of:
- SQL injection
- Web shell activity
- File inclusion / LFI / RFI
It’s built for DFIR at scale – think tens of thousands of log files and tens of gigabytes of data – using:
ForEach-Object -Parallel(PowerShell 7+)- Streaming reads via
[System.IO.File]::ReadLines() - Regex-based signatures for common web attacks
-
🔎 Recursive scan of a root directory for IIS log files (
*.logby default) -
⚡ Parallel processing with configurable
ThrottleLimit -
🧪 Attack detection categories
SQLi– SQL injection and related DB-enumeration patternsWebShell– webshell-like file names, RCE-ish commands, recon commandsFileInclusion– LFI/RFI patterns, directory traversal, remote includes
-
🕒 Time-scoped analysis with
-StartDate/-EndDatefiltering on fileLastWriteTime -
📄 CSV output with useful fields per hit:
- File, LineNumber, Type, Date, Time, ClientIP, UriStem, UriQuery, Status, TimeTaken, RawLine
- PowerShell 7+ (for
ForEach-Object -Parallel) - Windows (designed for IIS W3C logs, but will happily read any text logs)
- Sufficient permissions to read the log directory
Scan all IIS logs under a root directory and write hits to WebAttackHits.csv:
pwsh.exe -File .\scanner.ps1 `
-RootPath "E:\CDFA\2025-11-19T222507_Kape_Mercury\C\inetpub\logs\LogFiles"pwsh.exe -File .\scanner.ps1 `
-RootPath "E:\CDFA\...\LogFiles" `
-OutputCsv ".\iis_web_attacks.csv"Use more runspaces to speed up scanning on multi-core systems:
pwsh.exe -File .\scanner.ps1 `
-RootPath "E:\CDFA\...\LogFiles" `
-ThrottleLimit 24 `
-OutputCsv ".\iis_web_attacks.csv"Tip:
- On SSD/NVMe, a higher
ThrottleLimit(e.g. 16–32) can help.- On spinning disks or slow network shares, too many workers can cause I/O thrashing.
Filter files by LastWriteTime to focus on a specific incident window.
Only logs modified on or after a date:
pwsh.exe -File .\scanner.ps1 `
-RootPath "E:\CDFA\...\LogFiles" `
-StartDate "2025-11-18"Specific time window:
pwsh.exe -File .\scanner.ps1 `
-RootPath "E:\CDFA\...\LogFiles" `
-StartDate "2025-11-18T00:00:00" `
-EndDate "2025-11-19T23:59:59" `
-OutputCsv ".\iis_web_attacks_incident.csv"See which files are being scanned and how many remain after filters:
pwsh.exe -File .\scanner.ps1 `
-RootPath "E:\CDFA\...\LogFiles" `
-ThrottleLimit 12 `
-VerboseMode| Parameter | Required | Type | Description |
|---|---|---|---|
RootPath |
✅ | string |
Root directory to recursively search for log files. |
OutputCsv |
❌ | string |
Output CSV path. Default: WebAttackHits.csv. |
IncludeExtensions |
❌ | string[] |
File patterns to include (name-based). Default: *.log. |
ThrottleLimit |
❌ | int |
Number of parallel runspaces to use. Default: 8. |
StartDate |
❌ | datetime |
Only scan files with LastWriteTime >= StartDate. |
EndDate |
❌ | datetime |
Only scan files with LastWriteTime <= EndDate. |
VerboseMode |
❌ | switch |
Enables verbose logging (Write-Verbose). Helpful for tuning and debugging. |
The script operates line-by-line over IIS W3C logs using [System.IO.File]::ReadLines(). For each non-comment line:
-
Matches against a combined regex (
$CombinedPattern) to quickly skip non-interesting lines. -
If it passes the gate, the line is classified into one of:
SQLiWebShellFileInclusionUnknown(matched combined pattern but not any category-specific pattern)
-
If a
#Fields:header is seen, the script builds a field map so it can extract:date,time,c-ip,cs-uri-stem,cs-uri-query,sc-status,time-taken(if present)
-
A
PSCustomObjectis created per hit and later exported to CSV.
Heuristics include (case-insensitive):
UNION SELECTSELECT ... FROMINSERT INTO,UPDATE ... SET,DELETE FROM,DROP TABLE/DATABASEEXEC/xp_cmdshell/ genericexec sp_/xp_WAITFOR DELAY,SLEEP(information_schema,sysobjects,sys.tables- Stacked queries via
;or%3Bfollowed by SQL verbs
Patterns include:
-
Suspicious shell-like script names:
cmd.php,shell.asp,webshell.aspx,c99.php,r57.php, etc.
-
Common admin/single-file tools:
phpinfo.php,adminer.php
-
Query-string parameters indicating RCE / shell-like usage:
cmd=,exec=,command=,shell=,upload=,file=,dir=,run=
-
Use of Windows tools with flags:
cmd.exe /c,powershell.exe -enc,certutil.exe,bitsadmin.exe
-
Recon commands:
whoami,systeminfo,ipconfig,net user,net group,net localgroup
Looks for:
-
Directory traversal in parameters (
../,..%2f) -
Remote file inclusion:
file=,page=,include=,view=pointing tohttp://,https://,ftp://,php://, etc.
-
Windows paths and UNC paths:
C:\,\\server\share,%5c%5c
-
php://wrappers in parameters (common in PHP RFI attacks)
The resulting CSV contains one row per hit. Columns:
File– Full path to the log fileLineNumber– Line number within that fileType–SQLi,WebShell,FileInclusion, orUnknownDate– IISdatefield (if present)Time– IIStimefield (if present)ClientIP– IISc-ip(if present)UriStem–cs-uri-stemUriQuery–cs-uri-queryStatus–sc-statusTimeTaken–time-takenRawLine– Full original log line
You can load this CSV into Excel, Power BI, your SIEM, or any other tool to:
- Pivot by
ClientIPto identify attacker IPs - Pivot by
Typeto separate SQLi/webshell/LFI activity - Filter by
StatusandTimeTakento look for errors or long-running requests
-
Identify a suspicious SQL Server host with
sqlservr.exe → cmd.exe /c .... -
Use
StartDate/EndDateto narrow IIS logs around that timeframe. -
Run the scanner with a higher
ThrottleLimitfor speed. -
Open the CSV and:
- Filter by
Type = SQLiorType = WebShell. - Group by
ClientIPandUriStemto see which IPs hit which endpoints. - Correlate timestamps with host-level EDR/Sysmon logs on the SQL and IIS servers.
- Filter by
- This is heuristic-based detection; false positives are expected in noisy environments.
- IIS logs do not include POST bodies by default, which limits visibility into some SQLi/WebShell payloads.
- The script assumes W3C formatted logs with
#Fields:header; if fields are missing, those values will be left null.
Potential future enhancements:
- Separate
SQL_RCEcategory (e.g.,xp_cmdshell+ OS commands) - Configurable pattern sets via external JSON/YAML
- Output summaries (e.g., top attacking IPs, top hit URIs by type)
- Optional integration with a SIEM / log indexer
