Potential Suspicious Windows Feature Enabled

 1title: Potential Suspicious Windows Feature Enabled
 2id: 55c925c1-7195-426b-a136-a9396800e29b
 3related:
 4    - id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
 5      type: similar
 6status: test
 7description: |
 8    Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
 9    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images    
10references:
11    - https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
12    - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
13    - https://learn.microsoft.com/en-us/windows/wsl/install-on-server
14author: frack113
15date: 2022-09-10
16modified: 2022-12-29
17tags:
18    - attack.defense-evasion
19logsource:
20    product: windows
21    category: ps_script
22    definition: 'Requirements: Script Block Logging must be enabled'
23detection:
24    selection_cmd:
25        ScriptBlockText|contains|all:
26            - 'Enable-WindowsOptionalFeature'
27            - '-Online'
28            - '-FeatureName'
29    selection_feature:
30        # Add any insecure/unusual windows features to your env
31        ScriptBlockText|contains:
32            - 'TelnetServer'
33            - 'Internet-Explorer-Optional-amd64'
34            - 'TFTP'
35            - 'SMB1Protocol'
36            - 'Client-ProjFS'
37            - 'Microsoft-Windows-Subsystem-Linux'
38    condition: all of selection_*
39falsepositives:
40    - Legitimate usage of the features listed in the rule.
41level: medium

References

• Enable-WindowsOptionalFeature (DISM)

  

  Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.

  
  Read More

• Enabling Windows Projected File System - Win32 apps

  

  Describes how to enable ProjFS on Windows

  
  Read More

• Install Linux Subsystem on Windows Server

  

  Learn how to install the Linux Subsystem on Windows Server. WSL is available for installation on Windows Server 2019 (version 1709) and later.

  
  Read More

Related rules

• AD Object WriteDAC Access
• ADS Zone.Identifier Deleted By Uncommon Application
• AMSI Bypass Pattern Assembly GetType
• APT PRIVATELOG Image Load Pattern
• APT27 - Emissary Panda Activity