heroui logo

Potential Suspicious Windows Feature Enabled

Sigma Rules

View Source
Summary
This detection rule identifies the usage of the PowerShell cmdlet `Enable-WindowsOptionalFeature`, which is associated with the Deployment Image Servicing and Management (DISM) tool. The cmdlet can perform a variety of operations such as enumerating, installing, and updating features and packages within Windows images. The focus of this detection rule is primarily on the potentially malicious invocation of this cmdlet as it correlates with the installation of certain features often exploited in attack scenarios. Specifically, the rule looks for command executions that contain `-Online` and `-FeatureName` parameters in conjunction with features like `TelnetServer`, `Internet-Explorer-Optional-amd64`, and `SMB1Protocol`, which are known to pose security risks. Detection requires that Script Block Logging is enabled on the target Windows environment, providing the necessary logs that feed into this detection methodology. The rule has a medium severity level, reflecting the moderate risk associated with the enabling of these features through PowerShell commands that could indicate misuse or unauthorized configuration of Windows settings. An understanding of the legitimate use cases is also considered, as such actions may be benign when performed by known administrators or security processes.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
  • Script
  • Application Log
Created: 2022-09-10