dism.exeSYSTEM UTILITYdism.exe - Deployment Image Servicing Security Analysis
dism.exe (Deployment Image Servicing and Management) is a Windows utility for **servicing Windows images**. Attackers abuse DISM to **enable disabled features** like WSL or legacy components, **repair/restore malicious files**, and **bypass security controls**. DISM execution outside maintenance windows is suspicious.
Risk Summary
HIGH priority for SOC triage. dism.exe can enable features, modify Windows images, and restore system files. Monitor for feature enabling (/Enable-Feature), especially WSL, Telnet, or other exploitable components. Administrative use only.
Overview
What is dism.exe?
DISM (Deployment Image Servicing and Management) services Windows images.
Legitimate Functions
Image Servicing:
- Enable/disable Windows features
- Add/remove packages
- Repair Windows installation
- Mount WIM images
Security Significance
- Feature Control: Can enable exploitable features
- System Modification: Alters Windows configuration
- Admin Required: Requires elevation
- Abuse Potential: Used in attack chains
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\dism.exe |
| Parent | cmd.exe, powershell.exe (admin) |
| User | Administrator |
| Context | Maintenance, updates |
Common Legitimate Commands
dism /Online /Cleanup-Image /RestoreHealth
dism /Online /Get-Features
Common Locations
C:\Windows\System32\dism.exeC:\Windows\SysWOW64\Dism\dism.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Context: Scheduled maintenance
Admin troubleshooting
Command: /Cleanup-Image /RestoreHealth
/Get-Features (read-only)
SUSPICIOUS
Command: /Enable-Feature /FeatureName:Microsoft-Windows-Subsystem-Linux
/Enable-Feature /FeatureName:TelnetClient
/Add-Package (outside update)
Context: Non-maintenance time
Non-admin user attempting
Abuse Techniques
Attack Techniques
Technique #1: Enable Vulnerable Features (T1562)
Enable WSL for Attacks:
dism /Online /Enable-Feature /FeatureName:Microsoft-Windows-Subsystem-Linux /All /NoRestart
Enable Telnet:
dism /Online /Enable-Feature /FeatureName:TelnetClient
Technique #2: Restore Malicious Files (T1564)
Using /RestoreHealth to replace system files.
Technique #3: Disable Security Features (T1562.001)
dism /Online /Disable-Feature /FeatureName:Windows-Defender
Detection Guidance
Detection Strategies
Priority #1: Feature Enable/Disable
Process = "dism.exe" AND
CommandLine CONTAINS "/Enable-Feature" OR "/Disable-Feature"
→ ALERT: HIGH
Priority #2: WSL Enablement
Process = "dism.exe" AND
CommandLine CONTAINS "Subsystem-Linux"
→ ALERT: HIGH - WSL being enabled
Priority #3: Package Modification
Process = "dism.exe" AND
CommandLine CONTAINS "/Add-Package"
→ ALERT: HIGH
Remediation Steps
Protection and Remediation
Defense: Monitor DISM Usage
Log all DISM executions with full command lines.
Defense: Application Control
Restrict DISM to specific admin accounts.
If Compromise Suspected
- Review DISM command history
- Check enabled features
- Verify feature list against baseline
- Disable any suspicious features
- Review Windows update log
Investigation Checklist
Investigation Checklist
- Review full command line arguments
- Check for feature enable/disable
- Verify user had authorization
- Review enabled features list
- Check for recently enabled WSL/Telnet
- Compare features to baseline
- Review DISM log files