rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml

title: Potential Suspicious Windows Feature Enabled
id: 55c925c1-7195-426b-a136-a9396800e29b
related:
    - id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
      type: similar
status: experimental
description: |
    Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
    - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
    - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
    - https://learn.microsoft.com/en-us/windows/wsl/install-on-server
author: frack113
date: 2022/09/10
modified: 2022/12/29
tags:
    - attack.defense_evasion
logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
detection:
    selection_cmd:
        ScriptBlockText|contains|all:
            - 'Enable-WindowsOptionalFeature'
            - '-Online'
            - '-FeatureName'
    selection_feature:
        # Add any unsecure/unusual windows features to your env
        ScriptBlockText|contains:
            - 'TelnetServer'
            - 'Internet-Explorer-Optional-amd64'
            - 'TFTP'
            - 'SMB1Protocol'
            - 'Client-ProjFS'
            - 'Microsoft-Windows-Subsystem-Linux'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium
feat: updates and enhancements 2022-12-30 00:56:40 +01:00			`title: Potential Suspicious Windows Feature Enabled`
$frack113$ Add posh_ps_enable_windowsoptionalfeature 2022-09-11 19:43:54 +02:00			`id: 55c925c1-7195-426b-a136-a9396800e29b`
feat: updates and enhancements 2022-12-30 00:56:40 +01:00			`related:`
			`- id: c740d4cf-a1e9-41de-bb16-8a46a4f57918`
			`type: similar`
$frack113$ Add posh_ps_enable_windowsoptionalfeature 2022-09-11 19:43:54 +02:00			`status: experimental`
			`description: \|`
feat: updates and enhancements 2022-12-30 00:56:40 +01:00			`Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images`
$frack113$ Add posh_ps_enable_windowsoptionalfeature 2022-09-11 19:43:54 +02:00			`references:`
			`- https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps`
feat: updates and enhancements 2022-12-30 00:56:40 +01:00			`- https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system`
			`- https://learn.microsoft.com/en-us/windows/wsl/install-on-server`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`author: frack113`
			`date: 2022/09/10`
feat: updates and enhancements 2022-12-30 00:56:40 +01:00			`modified: 2022/12/29`
$frack113$ Add posh_ps_enable_windowsoptionalfeature 2022-09-11 19:43:54 +02:00			`tags:`
			`- attack.defense_evasion`
			`logsource:`
			`product: windows`
			`category: ps_script`
			`definition: Script block logging must be enabled`
			`detection:`
			`selection_cmd:`
			`ScriptBlockText\|contains\|all:`
			`- 'Enable-WindowsOptionalFeature'`
			`- '-Online'`
			`- '-FeatureName'`
			`selection_feature:`
feat: updates and enhancements 2022-12-30 00:56:40 +01:00			`# Add any unsecure/unusual windows features to your env`
$frack113$ Add posh_ps_enable_windowsoptionalfeature 2022-09-11 19:43:54 +02:00			`ScriptBlockText\|contains:`
			`- 'TelnetServer'`
			`- 'Internet-Explorer-Optional-amd64'`
			`- 'TFTP'`
			`- 'SMB1Protocol'`
feat: updates and enhancements 2022-12-30 00:56:40 +01:00			`- 'Client-ProjFS'`
			`- 'Microsoft-Windows-Subsystem-Linux'`
$frack113$ Add posh_ps_enable_windowsoptionalfeature 2022-09-11 19:43:54 +02:00			`condition: all of selection*`
			`falsepositives:`
			`- Unknown`
			`level: medium`