security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a99b5082e1a6c5c752120d56fdd67ee239e6a302
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml
T
Nasreddine Bencherchali c6fd915619 feat: updates and enhancements
2022-12-30 00:56:40 +01:00

42 lines
1.5 KiB
YAML
Raw Blame History

title: Potential Suspicious Windows Feature Enabled
id: 55c925c1-7195-426b-a136-a9396800e29b
related:
- id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
type: similar
status: experimental
description: |
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
- https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
- https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
- https://learn.microsoft.com/en-us/windows/wsl/install-on-server
author: frack113
date: 2022/09/10
modified: 2022/12/29
tags:
- attack.defense_evasion
logsource:
product: windows
category: ps_script
definition: Script block logging must be enabled
detection:
selection_cmd:
ScriptBlockText|contains|all:
- 'Enable-WindowsOptionalFeature'
- '-Online'
- '-FeatureName'
selection_feature:
# Add any unsecure/unusual windows features to your env
ScriptBlockText|contains:
- 'TelnetServer'
- 'Internet-Explorer-Optional-amd64'
- 'TFTP'
- 'SMB1Protocol'
- 'Client-ProjFS'
- 'Microsoft-Windows-Subsystem-Linux'
condition: all of selection*
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink