Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1059-command-and-scripting-interpreter

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects the installation and configuration of Windows PowerShell Web Access, which can be used by attackers to establish a web-based PowerShell remote access backdoor.

Strategy

This rule monitors Windows event logs for PowerShell script block executions that include commands related to PowerShell Web Access setup and configuration. The detection targets script blocks containing Install-WindowsFeature combined with WindowsPowerShellWebAccess, Install-PswaWebApplication, or Add-PswaAuthorizationRule commands. Additionally, it looks for authorization parameter settings like -UserName * or -ComputerName *. PowerShell Web Access provides a web-based PowerShell interface that allows users to run PowerShell commands remotely through a web browser.

Triage & Response

• Examine the complete PowerShell script block content to understand the full scope of the PowerShell Web Access configuration on {{host}}.
• Verify if the PowerShell Web Access installation was authorized and part of a documented change.
• Review the authorization rules that were created to determine which users and computers were granted access.
• If unauthorized, uninstall the PowerShell Web Access feature using Uninstall-WindowsFeature -Name WindowsPowerShellWebAccess.
• Review the authentication events for any users who may have accessed the system through PowerShell Web Access.