← Library
sigmaDRL-1.1from SigmaHQ/sigma

PowerShell Web Access Installation - PsScript

Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse

Quality
76
FP risk
Forks
0
Views
0
ATT&CK techniques
T1059.001
Rule sourcerules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml
title: PowerShell Web Access Installation - PsScript
id: 5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f
status: test
description: Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
references:
    - https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
    - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
author: Michael Haag
date: 2024-09-03
tags:
    - attack.persistence
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_install:
        ScriptBlockText|contains: 'Install-WindowsFeature WindowsPowerShellWebAccess'
    selection_config:
        ScriptBlockText|contains: 'Install-PswaWebApplication'
    selection_auth:
        ScriptBlockText|contains|all:
            - 'Add-PswaAuthorizationRule'
            - '-UserName *'
            - '-ComputerName *'
    condition: 1 of selection_*
falsepositives:
    - Legitimate PowerShell Web Access installations by administrators
level: high