PowerShell Web Access Feature Enabled Via DISM
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
Sigma rule (View on GitHub)
1title: PowerShell Web Access Feature Enabled Via DISM
2id: 7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f
3status: test
4description: Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
5references:
6 - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature
7 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
8 - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
9author: Michael Haag
10date: 2024-09-03
11tags:
12 - attack.persistence
13 - attack.t1548.002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\dism.exe'
20 - OriginalFileName: 'DISM.EXE'
21 selection_cli:
22 CommandLine|contains|all:
23 - 'WindowsPowerShellWebAccess'
24 - '/online'
25 - '/enable-feature'
26 condition: all of selection_*
27falsepositives:
28 - Legitimate PowerShell Web Access installations by administrators
29level: high
References
-
Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.
Read More -
Summary The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) are releasing this joint Cybersecu...
Read More
Related rules
- UAC Bypass With Fake DLL
- PowerShell Web Access Installation - PsScript
- Remote Access Tool - AnyDesk Incoming Connection
- ChromeLoader Malware Execution
- DarkGate - User Created Via Net.EXE