Techniques
Sample rules
PowerShell Web Access Feature Enabled Via DISM
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- WindowsPowerShellWebAccess
- /online
- /enable-feature
selection_img:
- Image|endswith: \dism.exe
- OriginalFileName: DISM.EXE
PowerShell Web Access Installation - PsScript
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
Detection logic
condition: 1 of selection_*
selection_auth:
ScriptBlockText|contains|all:
- Add-PswaAuthorizationRule
- -UserName *
- -ComputerName *
selection_config:
ScriptBlockText|contains: Install-PswaWebApplication
selection_install:
ScriptBlockText|contains: Install-WindowsFeature WindowsPowerShellWebAccess