PowerShell Web Access: Your Network's Backdoor in Plain Sight

Originally published on the Splunk Security Blog
Read the full article: PowerShell Web Access: Your Network’s Backdoor

What is PowerShell Web Access?

PSWA is a Windows Server feature that provides a web-based PowerShell console. Access PowerShell from any browser, anywhere.

Legitimate use? Remote administration.
Attacker use? Persistent backdoor that blends in.

Why Attackers Love PSWA

• Web-based - Bypasses network restrictions on RDP/WinRM
• Built-in - No malware to deploy, just enable a Windows feature
• Encrypted - HTTPS traffic looks normal
• Authenticated - Supports domain credentials

Attack Scenario

1. Compromise server - Any initial access
2. Enable PSWA - Install-WindowsFeature -Name WindowsPowerShellWebAccess
3. Configure gateway - Install-PswaWebApplication
4. Add authorization - Add-PswaAuthorizationRule -UserName * -ComputerName * -ConfigurationName *
5. Persistent access - Browse to https://server/pswa from anywhere

Detection Strategies

PSWA Installation

index=windows EventCode=4688 
  CommandLine="*Install-WindowsFeature*PowerShellWebAccess*"
| table _time, Computer, User, CommandLine

PSWA Web Application Setup

index=windows EventCode=4688 
  CommandLine="*Install-PswaWebApplication*"
| table _time, Computer, User, CommandLine

Authorization Rule Changes

index=windows EventCode=4688 
  CommandLine="*Add-PswaAuthorizationRule*"
| table _time, Computer, User, CommandLine

Defense

• Audit PSWA installation in your environment
• Monitor IIS logs for /pswa access
• Restrict authorization rules tightly
• Consider disabling if not needed

---

Read the full analysis: PowerShell Web Access: Your Network’s Backdoor

Related Modules

Active

PowerShell-Hunter

PowerShell tools to help defenders hunt smarter, hunt harder. A collection of scripts, queries, and techniques for threat hunting using PowerShell.

powershell hunting defense triage +2

View Module → GitHub