title: Dism Remove Online Package
id: 43e32da2-fdd0-4156-90de-50dfd62636f9
status: experimental
description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images 
author: frack113
date: 2022/01/16
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism
logsource:
    category: process_creation
    product: windows
detection:
    selection_dismhost:
        Image|endswith: '\DismHost.exe' 
        ParentCommandLine|contains|all:
            - '/online'
            - '/Disable-Feature'
            - '/FeatureName:'
            - '/Remove'
            #/NoRestart
            #/quiet
    selection_dism:
        Image|endswith: '\Dism.exe'
        CommandLine|contains|all:
            - '/online'
            - '/Disable-Feature'
            - '/FeatureName:'
            - '/Remove'
            #/NoRestart
            #/quiet
    condition: 1 of selection_*
falsepositives:
    - Legitim script
level: medium
tags:
    - attack.defense_evasion
    - attack.t1562.001