Potential Suspicious Windows Feature Enabled - ProcCreation

calendar Apr 28, 2026 · attack.stealth  ·
Share on: linkedin copy

Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Sigma rule (View on GitHub)

 1title: Potential Suspicious Windows Feature Enabled - ProcCreation
 2id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
 3related:
 4    - id: 55c925c1-7195-426b-a136-a9396800e29b
 5      type: similar
 6status: test
 7description: |
 8    Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
 9    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images    
10references:
11    - https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
12    - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
13    - https://learn.microsoft.com/en-us/windows/wsl/install-on-server
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2022-12-29
16tags:
17    - attack.stealth
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_cmd:
23        CommandLine|contains|all:
24            - 'Enable-WindowsOptionalFeature'
25            - '-Online'
26            - '-FeatureName'
27    selection_feature:
28        # Add any insecure/unusual windows features that you don't use in your environment
29        CommandLine|contains:
30            - 'TelnetServer'
31            - 'Internet-Explorer-Optional-amd64'
32            - 'TFTP'
33            - 'SMB1Protocol'
34            - 'Client-ProjFS'
35            - 'Microsoft-Windows-Subsystem-Linux'
36    condition: all of selection_*
37falsepositives:
38    - Legitimate usage of the features listed in the rule.
39level: medium

References

Related rules

to-top