
Summary
This detection rule aims to identify instances of Windows PowerShell Web Access (WPWA) through user agent strings in proxy logs. It specifically looks for user agents that contain the substring 'WindowsPowerShell/' to determine if PowerShell is being used as a web client to communicate with remote servers. This behavior can indicate potential attack vectors as PowerShell is often utilized in command-and-control (C2) scenarios or to evade defenses by executing scripts that download or interact with external resources. The rule is tagged for attack techniques associated with defense evasion and command-and-control, including T1071.001, which refers to application layer protocols used for C2 communications. The configuration of the rule includes a medium severity level due to the potential for misuse in malicious activities. False positives may arise from legitimate administrative scripts commonly used in infrastructure management that also utilize PowerShell to fetch online resources or content. Therefore, it is essential to correlate findings with context before taking action against identified events.
Categories
- Windows
- Network
Data Sources
- Web Credential
- Logon Session
- Network Traffic
Created: 2017-03-13