Potential Suspicious Windows Feature Enabled - ProcCreation

 1title: Potential Suspicious Windows Feature Enabled - ProcCreation
 2id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
 3related:
 4    - id: 55c925c1-7195-426b-a136-a9396800e29b
 5      type: similar
 6status: test
 7description: |
 8    Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
 9    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images    
10references:
11    - https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
12    - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
13    - https://learn.microsoft.com/en-us/windows/wsl/install-on-server
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2022-12-29
16tags:
17    - attack.defense-evasion
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_cmd:
23        CommandLine|contains|all:
24            - 'Enable-WindowsOptionalFeature'
25            - '-Online'
26            - '-FeatureName'
27    selection_feature:
28        # Add any insecure/unusual windows features that you don't use in your environment
29        CommandLine|contains:
30            - 'TelnetServer'
31            - 'Internet-Explorer-Optional-amd64'
32            - 'TFTP'
33            - 'SMB1Protocol'
34            - 'Client-ProjFS'
35            - 'Microsoft-Windows-Subsystem-Linux'
36    condition: all of selection_*
37falsepositives:
38    - Legitimate usage of the features listed in the rule.
39level: medium

References

• Enable-WindowsOptionalFeature (DISM)

  

  Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.

  
  Read More

• Enabling Windows Projected File System - Win32 apps

  

  Describes how to enable ProjFS on Windows

  
  Read More

• Install Linux Subsystem on Windows Server

  

  Learn how to install the Linux Subsystem on Windows Server. WSL is available for installation on Windows Server 2019 (version 1709) and later.

  
  Read More

Related rules

• AD Object WriteDAC Access
• ADS Zone.Identifier Deleted By Uncommon Application
• AMSI Bypass Pattern Assembly GetType
• APT PRIVATELOG Image Load Pattern
• APT27 - Emissary Panda Activity