Potential Suspicious Windows Feature Enabled
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Sigma rule (View on GitHub)
1title: Potential Suspicious Windows Feature Enabled
2id: 55c925c1-7195-426b-a136-a9396800e29b
3related:
4 - id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
5 type: similar
6status: test
7description: |
8 Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
9 Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
10references:
11 - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
12 - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
13 - https://learn.microsoft.com/en-us/windows/wsl/install-on-server
14author: frack113
15date: 2022/09/10
16modified: 2022/12/29
17tags:
18 - attack.defense_evasion
19logsource:
20 product: windows
21 category: ps_script
22 definition: 'Requirements: Script Block Logging must be enabled'
23detection:
24 selection_cmd:
25 ScriptBlockText|contains|all:
26 - 'Enable-WindowsOptionalFeature'
27 - '-Online'
28 - '-FeatureName'
29 selection_feature:
30 # Add any insecure/unusual windows features to your env
31 ScriptBlockText|contains:
32 - 'TelnetServer'
33 - 'Internet-Explorer-Optional-amd64'
34 - 'TFTP'
35 - 'SMB1Protocol'
36 - 'Client-ProjFS'
37 - 'Microsoft-Windows-Subsystem-Linux'
38 condition: all of selection_*
39falsepositives:
40 - Legitimate usage of the features listed in the rule.
41level: medium
References
Related rules
- AgentExecutor PowerShell Execution
- Change User Account Associated with the FAX Service
- Change the Fax Dll
- Exchange PowerShell Cmdlet History Deleted
- ImagingDevices Unusual Parent/Child Processes