rules/windows/process_creation/proc_creation_win_dsim_remove.yml

title: Dism Remove Online Package
id: 43e32da2-fdd0-4156-90de-50dfd62636f9
status: experimental
description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images 
author: frack113
date: 2022/01/16
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism
logsource:
    category: process_creation
    product: windows
detection:
    selection_dismhost:
        Image|endswith: '\DismHost.exe' 
        ParentCommandLine|contains|all:
            - '/online'
            - '/Disable-Feature'
            - '/FeatureName:'
            - '/Remove'
            #/NoRestart
            #/quiet
    selection_dism:
        Image|endswith: '\Dism.exe'
        CommandLine|contains|all:
            - '/online'
            - '/Disable-Feature'
            - '/FeatureName:'
            - '/Remove'
            #/NoRestart
            #/quiet
    condition: 1 of selection_*
falsepositives:
    - Legitim script
level: medium
tags:
    - attack.defense_evasion
    - attack.t1562.001
$frack113$ Windows Redcannary 2022-01-16 14:47:56 +01:00			`title: Dism Remove Online Package`
			`id: 43e32da2-fdd0-4156-90de-50dfd62636f9`
			`status: experimental`
$frack113$ Fix space 2022-01-16 15:12:50 +01:00			`description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images`
$frack113$ Windows Redcannary 2022-01-16 14:47:56 +01:00			`author: frack113`
			`date: 2022/01/16`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection_dismhost:`
			`Image\|endswith: '\DismHost.exe'`
			`ParentCommandLine\|contains\|all:`
			`- '/online'`
			`- '/Disable-Feature'`
			`- '/FeatureName:'`
			`- '/Remove'`
			`#/NoRestart`
			`#/quiet`
			`selection_dism:`
			`Image\|endswith: '\Dism.exe'`
			`CommandLine\|contains\|all:`
			`- '/online'`
			`- '/Disable-Feature'`
			`- '/FeatureName:'`
			`- '/Remove'`
			`#/NoRestart`
			`#/quiet`
			`condition: 1 of selection_*`
			`falsepositives:`
			`- Legitim script`
			`level: medium`
			`tags:`
			`- attack.defense_evasion`
			`- attack.t1562.001`