Disable-WindowsOptionalFeature Command PowerShell
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Sigma rule (View on GitHub)
1title: Disable-WindowsOptionalFeature Command PowerShell
2id: 99c4658d-2c5e-4d87-828d-7c066ca537c3
3status: test
4description: |
5 Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
6 Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md
9 - https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
10author: frack113
11date: 2022/09/10
12tags:
13 - attack.defense_evasion
14 - attack.t1562.001
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection_cmd:
21 ScriptBlockText|contains|all:
22 - 'Disable-WindowsOptionalFeature'
23 - '-Online'
24 - '-FeatureName'
25 selection_feature:
26 # Add any important windows features
27 ScriptBlockText|contains:
28 - 'Windows-Defender-Gui'
29 - 'Windows-Defender-Features'
30 - 'Windows-Defender'
31 - 'Windows-Defender-ApplicationGuard'
32 # - 'Containers-DisposableClientVM' # Windows Sandbox
33 condition: all of selection*
34falsepositives:
35 - Unknown
36level: high
References
Related rules
- Disable Windows Defender AV Security Monitoring
- Dism Remove Online Package
- Windows Defender Threat Detection Disabled - Service
- AMSI Bypass Pattern Assembly GetType
- Azure Kubernetes Events Deleted