PowerShell Web Access Feature Enabled Via DISM

About the rule

Rule Type

Standard

Rule Description

PowerShell Web Access is a legitimate Windows feature that, when enabled, allows remote access to PowerShell sessions via a browser—potentially exposing administrative functionality to the network. Attackers or unauthorized users may activate this feature using the Deployment Image Servicing and Management (DISM.exe) utility to expand the system’s attack surface or maintain persistence.
This rule detects the enabling of the PowerShellWebAccess feature using DISM.exe, which is seldom required in regular operations and may indicate preparatory steps for lateral movement, remote command execution, or privileged remote access.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Privilege escalation → Feature enablement via DISM → Remote PowerShell session exposure → Impact

Impact

• Defense evasion
• System exposure to unauthorized remote access
• Facilitation of lateral movement
• Unauthorized command execution
• Persistence

Rule Requirement

Prerequisites

Use the Group Policy Management Console to audit process creation and process termination.

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.

Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Abuse Elevation Control Mechanism - Bypass User Account Control (T1548.002), Privilege Escalation: Abuse Elevation Control Mechanism - Bypass User Account Control (T1548.002)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

When this rule is triggered, you’re notified of the activation of PowerShell Web Access through DISM.exe, enabling you to track risky feature changes, review user context, and assess potential exposure to remote exploitation. This supports swift detection, investigation, and mitigation of advanced attack techniques targeting privileged system access.

Author

Michael Haag

Future actions

Known False Positives

This rule may trigger during legitimate administrative maintenance, controlled system setup, or scripted deployments that require remote access for specific business reasons. Carefully review the context, executing user, and accompanying workflow to determine legitimate use.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Reconfiguration: Audit group policies and allowed features, harden server baselines, and update detection logic to further limit accidental or malicious Web Access enablement.

Mitigation