PowerShell Web Access Installation - PsScript

About the rule

Rule Type

Standard

Rule Description

PowerShell Web Access (PSWA) allows administrators to run PowerShell commands and scripts on a remote Windows machine via a web browser. While useful for legitimate remote administration, attackers may misuse it to establish persistent, stealthy remote access to compromised systems.

Once PSWA is installed using commands like Install-WindowsFeature WindowsPowerShellWebAccess or configured with Install-PSWAWebApplication and Add-PSWAAuthorizationRule, adversaries can tunnel PowerShell sessions over HTTPS and evade many traditional detection mechanisms.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access via public-facing application exploit → Local privilege escalation → Attacker installs PowerShell Web Access → Authorization rule created for attacker-controlled user

Impact

• Unauthorized remote access
• VPN bypass
• Backdoor creation

Rule Requirement

Prerequisites

Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".

(((( SCRIPTEXECUTED CONTAINS ""win32_shadowcopy"" ) AND( SCRIPTEXECUTED CONTAINS "".create"" ) AND( SCRIPTEXECUTED CONTAINS ""clientaccessible"" ) )))

This rule is triggered when the executed script contains the following suspicious elements:

• win32_shadowcopy: Refers to the WMI class used to manage Windows Volume Shadow Copies.
• .create: Indicates a method call to create a shadow copy.
• clientaccessible: Refers to an attribute that makes the shadow copy accessible to client applications.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Execution: Command and Scripting Interpreter - PowerShell (T1059.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

When this rule is triggered, you're notified of attempts to install or authorize access to PSWA. This enables you to monitor runtime environments like PowerShell, identify potential credential compromises, and detect attempts to create AD snapshots.

Author

Michael Haag

Future actions

Known False Positives

This rule might be triggered during legitimate PowerShell Web Access installations by administrators.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit PowerShell activities: Audit and limit use of Add-PSWAAuthorizationRule to known admin accounts.

Mitigation