From 486fdabe340bd344900de3a36d1e9cd102f5a777 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 10 Sep 2022 19:15:36 +0200 Subject: [PATCH] Add posh_ps_disable_windowsoptionalfeature --- ...posh_ps_disable_windowsoptionalfeature.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml new file mode 100644 index 000000000..601f6b71f --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml @@ -0,0 +1,35 @@ +title: Disable-WindowsOptionalFeature Command PowerShell +id: 99c4658d-2c5e-4d87-828d-7c066ca537c3 +status: experimental +author: frack113 +date: 2021/09/10 +description: | + Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. + Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md + - https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps +tags: + - attack.collection + - attack.t1119 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_cmd: + ScriptBlockText|contains|all: + - 'Disable-WindowsOptionalFeature' + - '-Online' + - '-FeatureName' + selection_feature: + # Add any important windows features + ScriptBlockText|contains: + - 'Windows-Defender-Gui' + - 'Windows-Defender-Features' + - 'Windows-Defender' + - 'Windows-Defender-ApplicationGuard' + condition: all of selection* +falsepositives: + - Unknown +level: high