PowerShell Web Access Feature Enabled Via DISM

Rule Info

Name
PowerShell Web Access Feature Enabled Via DISM
Author
Michael Haag
Description
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
Reference
https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature
Date
2024-09-03 00:00:00
Modified
None
Id
7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f
Tags
attack.persistence attack.t1548.002 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f

Rule History

Author
Title
Date
Commit
Michael Haag
Merge PR #4997 from @MHaggis - Add rules related to PowerShell Web Access
2024-09-03
b724a7f59
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022