Potential Suspicious Windows Feature Enabled

title: Potential Suspicious Windows Feature Enabled
id: 55c925c1-7195-426b-a136-a9396800e29b
related:
    - id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
      type: similar
status: test
description: |
    Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
    - https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
    - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
    - https://learn.microsoft.com/en-us/windows/wsl/install-on-server
author: frack113
date: 2022-09-10
modified: 2022-12-29
tags:
    - attack.defense-evasion
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmd:
        ScriptBlockText|contains|all:
            - 'Enable-WindowsOptionalFeature'
            - '-Online'
            - '-FeatureName'
    selection_feature:
        # Add any insecure/unusual windows features to your env
        ScriptBlockText|contains:
            - 'TelnetServer'
            - 'Internet-Explorer-Optional-amd64'
            - 'TFTP'
            - 'SMB1Protocol'
            - 'Client-ProjFS'
            - 'Microsoft-Windows-Subsystem-Linux'
    condition: all of selection_*
falsepositives:
    - Legitimate usage of the features listed in the rule.
level: medium