Detection rules › Sigma

Potential Suspicious Windows Feature Enabled

Status
test
Severity
medium
Author
frack113
Source
github.com/SigmaHQ/sigma

Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Event coverage

Rule body yaml

title: Potential Suspicious Windows Feature Enabled
id: 55c925c1-7195-426b-a136-a9396800e29b
related:
    - id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
      type: similar
status: test
description: |
    Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
    - https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
    - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
    - https://learn.microsoft.com/en-us/windows/wsl/install-on-server
author: frack113
date: 2022-09-10
modified: 2022-12-29
tags:
    - attack.stealth
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmd:
        ScriptBlockText|contains|all:
            - 'Enable-WindowsOptionalFeature'
            - '-Online'
            - '-FeatureName'
    selection_feature:
        # Add any insecure/unusual windows features to your env
        ScriptBlockText|contains:
            - 'TelnetServer'
            - 'Internet-Explorer-Optional-amd64'
            - 'TFTP'
            - 'SMB1Protocol'
            - 'Client-ProjFS'
            - 'Microsoft-Windows-Subsystem-Linux'
    condition: all of selection_*
falsepositives:
    - Legitimate usage of the features listed in the rule.
level: medium

Stages and Predicates

Stage 0: condition

all of selection_*

Stage 1: selection_cmd

selection_cmd:
    ScriptBlockText|contains|all:
        - 'Enable-WindowsOptionalFeature'
        - '-Online'
        - '-FeatureName'

Stage 2: selection_feature

selection_feature:
    # Add any insecure/unusual windows features to your env
    ScriptBlockText|contains:
        - 'TelnetServer'
        - 'Internet-Explorer-Optional-amd64'
        - 'TFTP'
        - 'SMB1Protocol'
        - 'Client-ProjFS'
        - 'Microsoft-Windows-Subsystem-Linux'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
ScriptBlockTextmatch
  • -FeatureName corpus 2 (sigma 2)
  • -Online corpus 2 (sigma 2)
  • Client-ProjFS
  • Enable-WindowsOptionalFeature corpus 3 (sigma 2, splunk 1)
  • Internet-Explorer-Optional-amd64
  • Microsoft-Windows-Subsystem-Linux corpus 2 (sigma 2)
  • SMB1Protocol corpus 2 (sigma 1, splunk 1)
  • TFTP
  • TelnetServer