diff --git a/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml b/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml
new file mode 100644
index 00000000000..238391191ef
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml
@@ -0,0 +1,31 @@
+title: PowerShell Web Access Installation - PsScript
+id: 5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f
+status: test
+description: Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
+references:
+    - https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication
+    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
+    - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
+author: Michael Haag
+date: 2024-09-03
+tags:
+    - attack.persistence
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection_install:
+        ScriptBlockText|contains: 'Install-WindowsFeature WindowsPowerShellWebAccess'
+    selection_config:
+        ScriptBlockText|contains: 'Install-PswaWebApplication'
+    selection_auth:
+        ScriptBlockText|contains|all:
+            - 'Add-PswaAuthorizationRule'
+            - '-UserName *'
+            - '-ComputerName *'
+    condition: 1 of selection_*
+falsepositives:
+    - Legitimate PowerShell Web Access installations by administrators
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml b/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml
new file mode 100644
index 00000000000..f10fe04711e
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml
@@ -0,0 +1,29 @@
+title: PowerShell Web Access Feature Enabled Via DISM
+id: 7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f
+status: test
+description: Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
+references:
+    - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature
+    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
+    - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
+author: Michael Haag
+date: 2024-09-03
+tags:
+    - attack.persistence
+    - attack.t1548.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\dism.exe'
+        - OriginalFileName: 'DISM.EXE'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'WindowsPowerShellWebAccess'
+            - '/online'
+            - '/enable-feature'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate PowerShell Web Access installations by administrators
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_dsim_remove.yml b/rules/windows/process_creation/proc_creation_win_dism_remove.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_dsim_remove.yml
rename to rules/windows/process_creation/proc_creation_win_dism_remove.yml