Dism Remove Online Package

    Thursday, September 5, 2024 In: Threat Research Print

    Date: 09/05/2024

    Severity: Medium

    Summary

    The Deployment Image Servicing and Management (DISM) tool is used to enumerate, install, uninstall, configure, and update features and packages within Windows images.

    Indicators of Compromise (IOC) List

    Image

    '\DismHost.exe'

    '\Dism.exe'

    ParentCommandLine

    '/Online'

    '/Disable-Feature'

    CommandLine

    '/Online'

    '/Disable-Feature'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (((resourceName = "Sysmon"  AND eventtype = "1"  ) AND image In ("\DismHost.exe" , "\Dism.exe" ) AND commandline In ("/Online" , "/Disable-Feature" ) AND parentcommandline In ("/Online" , "/Disable-Feature")))

    Detection Query 2

    (((Technologygroup = "EDR"  ) AND image In ("\DismHost.exe" , "\Dism.exe" ) AND commandline In ("/Online" , "/Disable-Feature" ) AND parentcommandline In ("/Online" , "/Disable-Feature")))

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dism_remove.yml 

    https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism 

    https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html 


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.