Dism Remove Online Package

Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Sigma rule (View on GitHub)

 1title: Dism Remove Online Package
 2id: 43e32da2-fdd0-4156-90de-50dfd62636f9
 3status: test
 4description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism
 7    - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
 8author: frack113
 9date: 2022-01-16
10modified: 2022-08-26
11tags:
12    - attack.defense-evasion
13    - attack.t1562.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_dismhost:
19        Image|endswith: '\DismHost.exe'
20        ParentCommandLine|contains|all:
21            - '/Online'
22            - '/Disable-Feature'
23            # - '/FeatureName:'
24            # - '/Remove'
25            # /NoRestart
26            # /quiet
27    selection_dism:
28        Image|endswith: '\Dism.exe'
29        CommandLine|contains|all:
30            - '/Online'
31            - '/Disable-Feature'
32            # - '/FeatureName:'
33            # - '/Remove'
34            # /NoRestart
35            # /quiet
36    condition: 1 of selection_*
37falsepositives:
38    - Legitimate script
39level: medium

References

Related rules

to-top