sigmaDRL-1.1from SigmaHQ/sigma
Disable-WindowsOptionalFeature Command PowerShell
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Quality
84
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml
title: Disable-WindowsOptionalFeature Command PowerShell
id: 99c4658d-2c5e-4d87-828d-7c066ca537c3
status: test
description: |
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md
- https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
author: frack113
date: 2022-09-10
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmd:
ScriptBlockText|contains|all:
- 'Disable-WindowsOptionalFeature'
- '-Online'
- '-FeatureName'
selection_feature:
# Add any important windows features
ScriptBlockText|contains:
- 'Windows-Defender-Gui'
- 'Windows-Defender-Features'
- 'Windows-Defender'
- 'Windows-Defender-ApplicationGuard'
# - 'Containers-DisposableClientVM' # Windows Sandbox
condition: all of selection*
falsepositives:
- Unknown
level: high