PowerShell Web Access Feature Enabled Via DISM

Date: 09/04/2024

Severity: High

Summary

Detects the use of DISM to activate the PowerShell Web Access feature, which might be exploited for remote access and potential misuse.

Image

'\dism.exe'

OriginalFileName

'DISM.EXE'

CommandLine

'WindowsPowerShellWebAccess'

'/online'

'/enable-feature'

Detection Query 1	(((resourceName = "Sysmon" AND eventtype = "1" ) AND image = "\dism.exe" ) AND originalfilename = "DISM.EXE" ) AND commandline In ("WindowsPowerShellWebAccess" , "/online" , "/enable-feature")
Detection Query 2	(((Technologygroup = "EDR" ) AND image = "\dism.exe" ) AND originalfilename = "DISM.EXE" ) AND commandline In ("WindowsPowerShellWebAccess" , "/online" , "/enable-feature")

Reference: