Dism Remove Online Package

 1title: Dism Remove Online Package
 2id: 43e32da2-fdd0-4156-90de-50dfd62636f9
 3status: test
 4description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism
 7    - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
 8author: frack113
 9date: 2022-01-16
10modified: 2022-08-26
11tags:
12    - attack.defense-evasion
13    - attack.t1562.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_dismhost:
19        Image|endswith: '\DismHost.exe'
20        ParentCommandLine|contains|all:
21            - '/Online'
22            - '/Disable-Feature'
23            # - '/FeatureName:'
24            # - '/Remove'
25            # /NoRestart
26            # /quiet
27    selection_dism:
28        Image|endswith: '\Dism.exe'
29        CommandLine|contains|all:
30            - '/Online'
31            - '/Disable-Feature'
32            # - '/FeatureName:'
33            # - '/Remove'
34            # /NoRestart
35            # /quiet
36    condition: 1 of selection_*
37falsepositives:
38    - Legitimate script
39level: medium
40regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dism_remove/info.yml
41simulation:
42    - type: atomic-red-team
43      name: Disable Windows Defender with DISM
44      technique: T1562.001
45      atomic_guid: 871438ac-7d6e-432a-b27d-3e7db69faf58