Disable-WindowsOptionalFeature Command PowerShell
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Sigma rule (View on GitHub)
1title: Disable-WindowsOptionalFeature Command PowerShell
2id: 99c4658d-2c5e-4d87-828d-7c066ca537c3
3status: test
4description: |
5 Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
6 Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md
9 - https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
10author: frack113
11date: 2022-09-10
12tags:
13 - attack.defense-impairment
14 - attack.t1685
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection_cmd:
21 ScriptBlockText|contains|all:
22 - 'Disable-WindowsOptionalFeature'
23 - '-Online'
24 - '-FeatureName'
25 selection_feature:
26 # Add any important windows features
27 ScriptBlockText|contains:
28 - 'Windows-Defender-Gui'
29 - 'Windows-Defender-Features'
30 - 'Windows-Defender'
31 - 'Windows-Defender-ApplicationGuard'
32 # - 'Containers-DisposableClientVM' # Windows Sandbox
33 condition: all of selection*
34falsepositives:
35 - Unknown
36level: high
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AMSI Disabled via Registry Modification
- ASLR Disabled Via Sysctl or Direct Syscall - Linux
- AWS GuardDuty Detector Deleted Or Updated
- AWS GuardDuty Important Change