LoFP / it is possible that legitimate scripts or network administrators may enable powershell web access. monitor and escalate as needed.

Techniques

• T1059.001

Sample rules

Windows Enable PowerShell Web Access

• source: splunk
• technicques:
  • T1059.001

Description

The following analytic detects the enabling of PowerShell Web Access via PowerShell commands. It leverages PowerShell script block logging (EventCode 4104) to identify the execution of the Install-WindowsFeature cmdlet with the WindowsPowerShellWebAccess parameter. This activity is significant because enabling PowerShell Web Access can facilitate remote execution of PowerShell commands, potentially allowing an attacker to gain unauthorized access to systems and networks.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN ("*Install-WindowsFeature*WindowsPowerShellWebAccess*","*Install-PswaWebApplication*","*Add-PswaAuthorizationRule*UserName *ComputerName *") 
| rename Computer as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest UserID 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_enable_powershell_web_access_filter`