Potential Suspicious Windows Feature Enabled - ProcCreation
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Sigma rule (View on GitHub)
1title: Potential Suspicious Windows Feature Enabled - ProcCreation
2id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
3related:
4 - id: 55c925c1-7195-426b-a136-a9396800e29b
5 type: similar
6status: test
7description: |
8 Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
9 Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
10references:
11 - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
12 - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
13 - https://learn.microsoft.com/en-us/windows/wsl/install-on-server
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2022/12/29
16tags:
17 - attack.defense_evasion
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_cmd:
23 CommandLine|contains|all:
24 - 'Enable-WindowsOptionalFeature'
25 - '-Online'
26 - '-FeatureName'
27 selection_feature:
28 # Add any insecure/unusual windows features that you don't use in your environment
29 CommandLine|contains:
30 - 'TelnetServer'
31 - 'Internet-Explorer-Optional-amd64'
32 - 'TFTP'
33 - 'SMB1Protocol'
34 - 'Client-ProjFS'
35 - 'Microsoft-Windows-Subsystem-Linux'
36 condition: all of selection_*
37falsepositives:
38 - Legitimate usage of the features listed in the rule.
39level: medium
References
Related rules
- AgentExecutor PowerShell Execution
- Change User Account Associated with the FAX Service
- Change the Fax Dll
- Exchange PowerShell Cmdlet History Deleted
- ImagingDevices Unusual Parent/Child Processes