PowerShell Web Access Installation - PsScript
Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
Sigma rule (View on GitHub)
1title: PowerShell Web Access Installation - PsScript
2id: 5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f
3status: test
4description: Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
5references:
6 - https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication
7 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
8 - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
9author: Michael Haag
10date: 2024-09-03
11tags:
12 - attack.persistence
13 - attack.execution
14 - attack.t1059.001
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection_install:
21 ScriptBlockText|contains: 'Install-WindowsFeature WindowsPowerShellWebAccess'
22 selection_config:
23 ScriptBlockText|contains: 'Install-PswaWebApplication'
24 selection_auth:
25 ScriptBlockText|contains|all:
26 - 'Add-PswaAuthorizationRule'
27 - '-UserName *'
28 - '-ComputerName *'
29 condition: 1 of selection_*
30falsepositives:
31 - Legitimate PowerShell Web Access installations by administrators
32level: high
References
-
Summary The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) are releasing this joint Cybersecu...
Read More
Related rules
- Scheduled Task Executing Encoded Payload from Registry
- ChromeLoader Malware Execution
- HackTool - CrackMapExec Execution
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Potential Persistence Via Powershell Search Order Hijacking - Task