PowerShell Web Access Installation - PsScript

Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse

Sigma rule (View on GitHub)

 1title: PowerShell Web Access Installation - PsScript
 2id: 5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f
 3status: test
 4description: Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
 5references:
 6    - https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication
 7    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
 8    - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
 9author: Michael Haag
10date: 2024-09-03
11tags:
12    - attack.persistence
13    - attack.execution
14    - attack.t1059.001
15logsource:
16    product: windows
17    category: ps_script
18    definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20    selection_install:
21        ScriptBlockText|contains: 'Install-WindowsFeature WindowsPowerShellWebAccess'
22    selection_config:
23        ScriptBlockText|contains: 'Install-PswaWebApplication'
24    selection_auth:
25        ScriptBlockText|contains|all:
26            - 'Add-PswaAuthorizationRule'
27            - '-UserName *'
28            - '-ComputerName *'
29    condition: 1 of selection_*
30falsepositives:
31    - Legitimate PowerShell Web Access installations by administrators
32level: high

References

Related rules

to-top