PowerShell Web Access Installation - PsScript

 1title: PowerShell Web Access Installation - PsScript
 2id: 5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f
 3status: test
 4description: Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
 5references:
 6    - https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication
 7    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
 8    - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
 9author: Michael Haag
10date: 2024-09-03
11tags:
12    - attack.persistence
13    - attack.t1059.001
14logsource:
15    product: windows
16    category: ps_script
17    definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19    selection_install:
20        ScriptBlockText|contains: 'Install-WindowsFeature WindowsPowerShellWebAccess'
21    selection_config:
22        ScriptBlockText|contains: 'Install-PswaWebApplication'
23    selection_auth:
24        ScriptBlockText|contains|all:
25            - 'Add-PswaAuthorizationRule'
26            - '-UserName *'
27            - '-ComputerName *'
28    condition: 1 of selection_*
29falsepositives:
30    - Legitimate PowerShell Web Access installations by administrators
31level: high

References

• Install-PswaWebApplication (PowerShellWebAccess)

  

  The Install-PswaWebApplication cmdlet configures Windows PowerShell Web Access web application. This cmdlet installs the web application, associates it with a web site, and optionally creates a test SSL certificate using the useTestCertificate parameter. For security reasons web administrators should not use a test certificate for production environments.

  
  Read More

• Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations | CISA

  Summary The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) are releasing this joint Cybersecu...

  
  Read More

• PSWA.md

  

  GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

Related rules

• ChromeLoader Malware Execution
• HackTool - CrackMapExec Execution
• HackTool - Default PowerSploit/Empire Scheduled Task Creation
• Potential Persistence Via Powershell Search Order Hijacking - Task
• PowerShell Create Local User