From ccaeef6426a198c62ea8d62cf9496f9db1dc4214 Mon Sep 17 00:00:00 2001
From: Michael Haag <5632822+MHaggis@users.noreply.github.com>
Date: Tue, 3 Sep 2024 13:52:03 -0600
Subject: [PATCH 1/2] PowerShell Web Access

---
 ..._ps_powershell_web_access_installation.yml | 32 +++++++++++++++++++
 ...m_enable_powershell_web_access_feature.yml | 28 ++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml

diff --git a/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml b/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml
new file mode 100644
index 00000000000..5c814c475d3
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml
@@ -0,0 +1,32 @@
+title: PowerShell Web Access Installation
+id: 5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f
+status: test
+description: Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
+references:
+    - https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication
+    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
+    - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
+author: Michael Haag
+date: 2024-05-11
+modified: 2024-05-11
+tags:
+    - attack.persistence
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection_install:
+        ScriptBlockText|contains: 'Install-WindowsFeature WindowsPowerShellWebAccess'
+    selection_config:
+        ScriptBlockText|contains: 'Install-PswaWebApplication'
+    selection_auth:
+        ScriptBlockText|contains|all:
+            - 'Add-PswaAuthorizationRule'
+            - '-UserName *'
+            - '-ComputerName *'
+    condition: selection_install or selection_config or selection_auth
+falsepositives:
+    - Legitimate PowerShell Web Access installations by administrators
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml b/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml
new file mode 100644
index 00000000000..8ee2a8a2179
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml
@@ -0,0 +1,28 @@
+title: DISM Enable PowerShell Web Access Feature
+id: 7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f
+status: test
+description: Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
+references:
+    - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature
+    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
+    - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
+author: Michael Haag
+date: 2024-05-11
+modified: 2024-05-11
+tags:
+    - attack.persistence
+    - attack.t1548.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\dism.exe'
+        CommandLine|contains|all:
+            - 'WindowsPowerShellWebAccess'
+            - '/online'
+            - '/enable-feature'
+    condition: selection
+falsepositives:
+    - Legitimate PowerShell Web Access installations by administrators
+level: high
\ No newline at end of file

From 2dce7de0558e9e8dcfa124f710bcc2a45bb28c78 Mon Sep 17 00:00:00 2001
From: nasbench <8741929+nasbench@users.noreply.github.com>
Date: Tue, 3 Sep 2024 22:04:59 +0200
Subject: [PATCH 2/2] metadata update

---
 ...posh_ps_powershell_web_access_installation.yml |  9 ++++-----
 ..._dism_enable_powershell_web_access_feature.yml | 15 ++++++++-------
 ...move.yml => proc_creation_win_dism_remove.yml} |  0
 3 files changed, 12 insertions(+), 12 deletions(-)
 rename rules/windows/process_creation/{proc_creation_win_dsim_remove.yml => proc_creation_win_dism_remove.yml} (100%)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml b/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml
index 5c814c475d3..238391191ef 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml
@@ -1,4 +1,4 @@
-title: PowerShell Web Access Installation
+title: PowerShell Web Access Installation - PsScript
 id: 5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f
 status: test
 description: Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
@@ -7,8 +7,7 @@ references:
     - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
     - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
 author: Michael Haag
-date: 2024-05-11
-modified: 2024-05-11
+date: 2024-09-03
 tags:
     - attack.persistence
     - attack.t1059.001
@@ -26,7 +25,7 @@ detection:
             - 'Add-PswaAuthorizationRule'
             - '-UserName *'
             - '-ComputerName *'
-    condition: selection_install or selection_config or selection_auth
+    condition: 1 of selection_*
 falsepositives:
     - Legitimate PowerShell Web Access installations by administrators
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml b/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml
index 8ee2a8a2179..f10fe04711e 100644
--- a/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml
+++ b/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml
@@ -1,4 +1,4 @@
-title: DISM Enable PowerShell Web Access Feature
+title: PowerShell Web Access Feature Enabled Via DISM
 id: 7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f
 status: test
 description: Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
@@ -7,8 +7,7 @@ references:
     - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
     - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
 author: Michael Haag
-date: 2024-05-11
-modified: 2024-05-11
+date: 2024-09-03
 tags:
     - attack.persistence
     - attack.t1548.002
@@ -16,13 +15,15 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\dism.exe'
+    selection_img:
+        - Image|endswith: '\dism.exe'
+        - OriginalFileName: 'DISM.EXE'
+    selection_cli:
         CommandLine|contains|all:
             - 'WindowsPowerShellWebAccess'
             - '/online'
             - '/enable-feature'
-    condition: selection
+    condition: all of selection_*
 falsepositives:
     - Legitimate PowerShell Web Access installations by administrators
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_dsim_remove.yml b/rules/windows/process_creation/proc_creation_win_dism_remove.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_dsim_remove.yml
rename to rules/windows/process_creation/proc_creation_win_dism_remove.yml