/
posh_ps_enable_susp_windows_optional_feature.yml
41 lines (41 loc) · 1.58 KB
/
posh_ps_enable_susp_windows_optional_feature.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
title: Potential Suspicious Windows Feature Enabled
id: 55c925c1-7195-426b-a136-a9396800e29b
related:
- id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
type: similar
status: test
description: |
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
- https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
- https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
- https://learn.microsoft.com/en-us/windows/wsl/install-on-server
author: frack113
date: 2022/09/10
modified: 2022/12/29
tags:
- attack.defense_evasion
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmd:
ScriptBlockText|contains|all:
- 'Enable-WindowsOptionalFeature'
- '-Online'
- '-FeatureName'
selection_feature:
# Add any insecure/unusual windows features to your env
ScriptBlockText|contains:
- 'TelnetServer'
- 'Internet-Explorer-Optional-amd64'
- 'TFTP'
- 'SMB1Protocol'
- 'Client-ProjFS'
- 'Microsoft-Windows-Subsystem-Linux'
condition: all of selection_*
falsepositives:
- Legitimate usage of the features listed in the rule.
level: medium