Windows PowerShell web access installation using PsScript

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1059-command-and-scripting-interpreter

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects the installation and configuration of Windows PowerShell Web Access, which can be used by attackers to establish a web-based PowerShell remote access backdoor.

Strategy

This rule monitors Windows event logs for PowerShell script block executions that include commands related to PowerShell Web Access setup and configuration. The detection targets script blocks containing Install-WindowsFeature combined with WindowsPowerShellWebAccess, Install-PswaWebApplication, or Add-PswaAuthorizationRule commands. Additionally, it looks for authorization parameter settings like -UserName * or -ComputerName *. PowerShell Web Access provides a web-based PowerShell interface that allows users to run PowerShell commands remotely through a web browser.

Triage & Response

  • Examine the complete PowerShell script block content to understand the full scope of the PowerShell Web Access configuration on {{host}}.
  • Verify if the PowerShell Web Access installation was authorized and part of a documented change.
  • Review the authorization rules that were created to determine which users and computers were granted access.
  • If unauthorized, uninstall the PowerShell Web Access feature using Uninstall-WindowsFeature -Name WindowsPowerShellWebAccess.
  • Review the authentication events for any users who may have accessed the system through PowerShell Web Access.