Techniques
Sample rules
Potential Suspicious Windows Feature Enabled - ProcCreation
- source: sigma
- technicques:
Description
Detects usage of the built-in PowerShell cmdlet “Enable-WindowsOptionalFeature” used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Detection logic
condition: all of selection_*
selection_cmd:
CommandLine|contains|all:
- Enable-WindowsOptionalFeature
- -Online
- -FeatureName
selection_feature:
CommandLine|contains:
- TelnetServer
- Internet-Explorer-Optional-amd64
- TFTP
- SMB1Protocol
- Client-ProjFS
- Microsoft-Windows-Subsystem-Linux
Potential Suspicious Windows Feature Enabled
- source: sigma
- technicques:
Description
Detects usage of the built-in PowerShell cmdlet “Enable-WindowsOptionalFeature” used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Detection logic
condition: all of selection_*
selection_cmd:
ScriptBlockText|contains|all:
- Enable-WindowsOptionalFeature
- -Online
- -FeatureName
selection_feature:
ScriptBlockText|contains:
- TelnetServer
- Internet-Explorer-Optional-amd64
- TFTP
- SMB1Protocol
- Client-ProjFS
- Microsoft-Windows-Subsystem-Linux