Name:Windows Enable PowerShell Web Access id:175bb2de-6227-416b-9678-9b61999cd21f version:3 date:2024-09-30 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic detects the enabling of PowerShell Web Access via PowerShell commands. It leverages PowerShell script block logging (EventCode 4104) to identify the execution of the `Install-WindowsFeature` cmdlet with the `WindowsPowerShellWebAccess` parameter. This activity is significant because enabling PowerShell Web Access can facilitate remote execution of PowerShell commands, potentially allowing an attacker to gain unauthorized access to systems and networks. Data_source:
-Powershell Script Block Logging 4104
search:`powershell` EventCode=4104 ScriptBlockText IN ("*Install-WindowsFeature*WindowsPowerShellWebAccess*","*Install-PswaWebApplication*","*Add-PswaAuthorizationRule*UserName *ComputerName *") | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_enable_powershell_web_access_filter`
how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives:It is possible that legitimate scripts or network administrators may enable PowerShell Web Access. Monitor and escalate as needed. References: -https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a -https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'CISA AA24-241A' - 'Malicious PowerShell' asset_type:Endpoint confidence:80 impact:90 message:PowerShell Web Access has been enabled on $dest$. mitre_attack_id: - 'T1059.001' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'EventCode' - 'ScriptBlockText' - 'dest' - 'UserID' risk_score:72 security_domain:endpoint cve:
