Disable-WindowsOptionalFeature Command PowerShell

Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Sigma rule (View on GitHub)

 1title: Disable-WindowsOptionalFeature Command PowerShell
 2id: 99c4658d-2c5e-4d87-828d-7c066ca537c3
 3status: test
 4description: |
 5    Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
 6    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md
 9    - https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
10author: frack113
11date: 2022-09-10
12tags:
13    - attack.defense-evasion
14    - attack.t1562.001
15logsource:
16    product: windows
17    category: ps_script
18    definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20    selection_cmd:
21        ScriptBlockText|contains|all:
22            - 'Disable-WindowsOptionalFeature'
23            - '-Online'
24            - '-FeatureName'
25    selection_feature:
26        # Add any important windows features
27        ScriptBlockText|contains:
28            - 'Windows-Defender-Gui'
29            - 'Windows-Defender-Features'
30            - 'Windows-Defender'
31            - 'Windows-Defender-ApplicationGuard'
32            # - 'Containers-DisposableClientVM' # Windows Sandbox
33    condition: all of selection*
34falsepositives:
35    - Unknown
36level: high

References

Related rules

to-top