dism.exeSYSTEM UTILITYdism.exe - Deployment Image Servicing Security Analysis
dism.exe (Deployment Image Servicing and Management) is a Windows utility for servicing Windows images. Attackers abuse DISM to enable disabled features like WSL or legacy components, repair/restore malicious files, and bypass security controls. DISM execution outside maintenance windows is suspicious.
Risk Summary
HIGH priority for SOC triage. dism.exe can enable features, modify Windows images, and restore system files. Monitor for feature enabling (/Enable-Feature), especially WSL, Telnet, or other exploitable components. Administrative use only.
Overview
What is dism.exe?
DISM (Deployment Image Servicing and Management) services Windows images.
Legitimate Functions
Image Servicing:
- Enable/disable Windows features
- Add/remove packages
- Repair Windows installation
- Mount WIM images
Security Significance
- Feature Control: Can enable exploitable features
- System Modification: Alters Windows configuration
- Admin Required: Requires elevation
- Abuse Potential: Used in attack chains
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\dism.exe |
| Parent | cmd.exe, powershell.exe (admin) |
| User | Administrator |
| Context | Maintenance, updates |
Common Legitimate Commands
dism /Online /Cleanup-Image /RestoreHealth
dism /Online /Get-Features
Common Locations
C:\Windows\System32\dism.exeC:\Windows\SysWOW64\Dism\dism.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Context: Scheduled maintenance
Admin troubleshooting
Command: /Cleanup-Image /RestoreHealth
/Get-Features (read-only)
SUSPICIOUS
Command: /Enable-Feature /FeatureName:Microsoft-Windows-Subsystem-Linux
/Enable-Feature /FeatureName:TelnetClient
/Add-Package (outside update)
Context: Non-maintenance time
Non-admin user attempting
Abuse Techniques
Attack Techniques
Technique #1: Enable Vulnerable Features (T1562)
Enable WSL for Attacks:
dism /Online /Enable-Feature /FeatureName:Microsoft-Windows-Subsystem-Linux /All /NoRestart
Enable Telnet:
dism /Online /Enable-Feature /FeatureName:TelnetClient
Technique #2: Restore Malicious Files (T1564)
Using /RestoreHealth to replace system files.
Technique #3: Disable Security Features (T1562.001)
dism /Online /Disable-Feature /FeatureName:Windows-Defender
Detection Guidance
Detection Strategies
Priority #1: Feature Enable/Disable
Process = "dism.exe" AND
CommandLine CONTAINS "/Enable-Feature" OR "/Disable-Feature"
→ ALERT: HIGH
Priority #2: WSL Enablement
Process = "dism.exe" AND
CommandLine CONTAINS "Subsystem-Linux"
→ ALERT: HIGH - WSL being enabled
Priority #3: Package Modification
Process = "dism.exe" AND
CommandLine CONTAINS "/Add-Package"
→ ALERT: HIGH
Remediation Steps
Protection and Remediation
Defense: Monitor DISM Usage
Log all DISM executions with full command lines.
Defense: Application Control
Restrict DISM to specific admin accounts.
If Compromise Suspected
- Review DISM command history
- Check enabled features
- Verify feature list against baseline
- Disable any suspicious features
- Review Windows update log
Investigation Checklist
Investigation Checklist
- Review full command line arguments
- Check for feature enable/disable
- Verify user had authorization
- Review enabled features list
- Check for recently enabled WSL/Telnet
- Compare features to baseline
- Review DISM log files