DismHost.exe

  • File Path: C:\windows\system32\Dism\DismHost.exe
  • Description: Dism Host Servicing Process

Hashes

Type Hash
MD5 DD630511F697002DDEE58570A2E7A3D1
SHA1 519C1A21CAC1C1BC0EBF9CEC20761AEF4E5ED335
SHA256 95AEC6D12E6F9E6E1E3045259CF024D30625BF4E520D94F333387359221735E4
SHA384 6BFBDA34E225FA5071F2D264560BEA257E4F39C50526C8378F0FD84A12DA572633FA296B3BE73343CF71A6A24B3BDCE3
SHA512 74C201C375F994551CC7DB591993D330521025466B8C3B2CCBA6E9835448F9C86B795E0AC4289F1804C5568AEE3FC3057D51380AC3AA67D2BDF2387FE4A828E5
SSDEEP 3072:RJ7FsTbuZ7Zi+lzqDq7FUm/AuRXSprvBODB:LFsTbu/lzaqNANprvs1

Signature

  • Status: Signature verified.
  • Serial: 33000001B24A37C6C97E0168860001000001B2
  • Thumbprint: A380D6A21D68FA9B52D2405B36C712BAFA57632B
  • Issuer: CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DismHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.19397 (winblue_ltsb.190608-0600)
  • Product Version: 6.3.9600.19397
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of DismHost.exe being misused. While DismHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml - 'dismhost.exe' DRL 1.0
sigma proc_creation_win_dsim_remove.yml Image\|endswith: '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml title: UAC Bypass Using DismHost DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml - '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml - '\dismhost.exe {' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml Image\|endswith: '\DismHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.