title: Enable-WindowsOptionalFeature Command PowerShell
id: 55c925c1-7195-426b-a136-a9396800e29b
status: experimental
description: |
    Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
    - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
author: frack113
date: 2022/09/10
tags:
    - attack.defense_evasion
logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
detection:
    selection_cmd:
        ScriptBlockText|contains|all:
            - 'Enable-WindowsOptionalFeature'
            - '-Online'
            - '-FeatureName'
    selection_feature:
        # Add any unsecure windows features
        ScriptBlockText|contains:
            - 'TelnetServer'
            - 'Internet-Explorer-Optional-amd64'
            - 'TFTP'
            - 'SMB1Protocol'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium