PowerShell Web Access Installation - PsScript
Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
Sigma rule (View on GitHub)
1title: PowerShell Web Access Installation - PsScript
2id: 5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f
3status: test
4description: Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
5references:
6 - https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication
7 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
8 - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
9author: Michael Haag
10date: 2024-09-03
11tags:
12 - attack.persistence
13 - attack.execution
14 - attack.t1059.001
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection_install:
21 ScriptBlockText|contains: 'Install-WindowsFeature WindowsPowerShellWebAccess'
22 selection_config:
23 ScriptBlockText|contains: 'Install-PswaWebApplication'
24 selection_auth:
25 ScriptBlockText|contains|all:
26 - 'Add-PswaAuthorizationRule'
27 - '-UserName *'
28 - '-ComputerName *'
29 condition: 1 of selection_*
30falsepositives:
31 - Legitimate PowerShell Web Access installations by administrators
32level: high
References
Related rules
- Scheduled Task Executing Encoded Payload from Registry
- ChromeLoader Malware Execution
- HackTool - CrackMapExec Execution
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Potential Persistence Via Powershell Search Order Hijacking - Task