Adversaries may use PowerShell User Agent to establish remote access and execute commands covertly, leveraging web access to exfiltrate data or maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of PowerShell Web Access endpoints and mitigate lateral movement risks.
Detection Rule
title: Windows PowerShell User Agent
id: c8557060-9221-4448-8794-96320e6f3e74
status: test
description: Detects Windows PowerShell Web Access
references:
- https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2021-11-27
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|contains: ' WindowsPowerShell/'
condition: selection
falsepositives:
- Administrative scripts that download files from the Internet
- Administrative scripts that retrieve certain website contents
level: medium
imWebSession
| where HttpUserAgent contains " WindowsPowerShell/"Scenario: Scheduled Job Running PowerShell Web Access for System Maintenance
Description: A scheduled job is configured to run a PowerShell script that connects to a remote server for system updates or configuration management.
Filter/Exclusion: Check for EventID 41 (Scheduled Task) with a known job name, such as SystemUpdateJob, and ensure the script path is within a trusted directory like C:\Windows\System32\.
Scenario: Admin Task Using PowerShell Web Access to Manage Remote Servers
Description: An administrator uses PowerShell Web Access to execute commands on remote servers as part of routine administrative tasks.
Filter/Exclusion: Filter by user account with administrative privileges (e.g., Administrator or Domain Admins) and ensure the command is part of a known administrative task, such as Get-Service or Restart-Service.
Scenario: PowerShell Web Access Used for Configuration Management via Desired State Configuration (DSC)
Description: A PowerShell DSC configuration is being applied to multiple nodes using PowerShell Web Access.
Filter/Exclusion: Check for the presence of DSC-related commands like Start-DscConfiguration and ensure the configuration is stored in a known DSC configuration directory, such as C:\Program Files\WindowsPowerShell\Modules.
Scenario: PowerShell Web Access Invoked by a Trusted Third-Party Tool
Description: A trusted third-party tool (e.g., Microsoft Intune, SCCM, or Azure DevOps) uses PowerShell Web Access to perform configuration or deployment tasks.
Filter/Exclusion: Filter by the tool’s known process name (e.g., Microsoft.IntuneManagementExtension.exe) and ensure the command is part of a known deployment or configuration script.
Scenario: PowerShell Web Access Used for Log Collection or Monitoring by SIEM Tools
Description: A Security