Dism.exe

  • File Path: C:\WINDOWS\system32\Dism.exe
  • Description: Dism Image Servicing Utility

Hashes

Type Hash
MD5 666F42B887E9F05A78E048BCC7AC9261
SHA1 26CDB57E1EF5F97A39B2DB4762AC21306CB535DC
SHA256 C32CD1528CD9D3A2D6763357061A85D1E02DA2209377A4EAD1F4F7D7E3C1367C
SHA384 A32F6C3EBC5A1E8C749F4CD795E2625AC99A445836B3884EF338E1D7F2DE87E957D90740FA0EBA26F729B23D274870DF
SHA512 88CEDC8184869DAF21AECB65B4B2EAD952B9AFC53F6DD404BA427924FB289E06DBE50682E7272FA90A64FEE6BD50F54BEAD5BDC4B64702264B6CA1636783541D
SSDEEP 6144:sgLBFT2TLLjUQi7fv+KaNMlWExBuTMs2jCrs:GAJCEE2n

Runtime Data

Usage (stdout):


Error: 740

Elevated permissions are required to run DISM. 
Use an elevated command prompt to complete these tasks.

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DISM.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of Dism.exe being misused. While Dism.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_user_driver_loaded.yml - '\Windows\System32\Dism.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\Windows\System32\dism.exe' DRL 1.0
sigma image_load_uac_bypass_via_dism.yml - '\dism.exe' DRL 1.0
sigma proc_creation_win_dsim_remove.yml Image\|endswith: '\Dism.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck' DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml Image\|endswith: '\dism.exe' DRL 1.0
atomic-red-team T1562.001.md The following Atomic will attempt to disable Windows-Defender using the built in DISM.exe, Deployment Image Servicing and Management tool. MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.