Disable-WindowsOptionalFeature Command PowerShell

About the rule

Rule Type

Standard

Rule Description

Disable-WindowsOptionalFeature is a PowerShell cmdlet used to turn off optional features in Windows. Attackers may leverage this cmdlet to disable security software, patch updates, recovery tools, or other critical features, making the system more vulnerable during an attack. This rule detects the execution of the Disable-WindowsOptionalFeature cmdlet to identify such malicious attempts.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → PowerShell execution → Defense evasion → Disable or Modify Tools

Impact

• System compromise
• Defense evasion
• Persistence

Rule Requirement

Prerequisites

Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".

(((( SCRIPTEXECUTED CONTAINS ""windows-defender-gui"" ) OR ( SCRIPTEXECUTED CONTAINS ""windows-defender-features"" ) OR ( SCRIPTEXECUTED CONTAINS ""windows-defender"" ) OR ( SCRIPTEXECUTED CONTAINS ""windows-defender-applicationguard"" ) )) AND ((( SCRIPTEXECUTED CONTAINS ""disable-windowsoptionalfeature"" ) AND( SCRIPTEXECUTED CONTAINS ""-online"" ) AND( SCRIPTEXECUTED CONTAINS ""-featurename"" ) )))

This rule is triggered when the executed script contains the following suspicious elements:

• windows-defender-gui: Refers to the Windows Defender Graphical User Interface component, which can be manipulated to disable Windows Defender.
• windows-defender-applicationguard: Refers to the Windows Defender Application Guard, which can be disabled to evade detection.
• disable-windowsoptionalfeature: Refers to a command used to disable the Windows Optional Feature.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Impair Defenses - Disable or Modify Tools (T1562.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

When this rule is triggered, you're notified of the Disable-WindowsOptionalFeature cmdlet being executed in PowerShell to disable optional Windows features. This enables you to monitor runtime environments like PowerShell and identify suspicious executions that indicate potential attempts to evade detection in the system.

Author

frack113

Future actions

Known False Positives

This rule might be triggered when admins disable optional Windows features as part of system optimization and maintenance.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit PowerShell executions: Continuously monitor PowerShell activities, block command executions that involve Disable-WindowsOptionalFeature cmdlet, and restrict script execution privileges to administrators only.

Mitigation