Question Analysis

// DISM will run as dwm.exe if launched by system, which will run at medium IL. Admin privilege is provided by legitimate autologin technique via Task Scheduler to run dwm as system in admin context, and uicleanup runs dwm as the session shell. DISM cli parameters taken from process name and not process path for techniques like "dism" in Windows/Temp appearing as "dismhost.exe" (or in other directories) these never show as command line activity for any event sources. DeviceProcessEvents | where (ProcessCommandLine contains "/Online" and (ProcessCommandLine contains "/Get-Intl" or ProcessCommandLine contains "/Get-UserIntlDefaults" or ProcessCommandLine contains "/Get-InputLocales" or ProcessCommandLine contains "/Get-SystemLocales")) | project TimeGenerated, ActionType, DeviceName, DeviceId, FileName, ProcessCommandLine, FolderPath, InitiatingProcessAccountName, InitiatingProcessLogonId, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessFolderPath, ProcessId | distinct TimeGenerated, ActionType, DeviceName, DeviceId, FileName, ProcessCommandLine, FolderPath, InitiatingProcessAccountName, InitiatingProcessLogonId, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessFolderPath, ProcessId //deduping events in case of parallel telemetry | extend Timestamp = TimeGenerated, HostName = tostring(split(DeviceName, ".")[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, "."), 1, -1), ".")) | extend Name = tostring(split(InitiatingProcessAccountName, "@", 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountName, "@", 1)[0]) | extend username = iff(isnotempty(UPNSuffix), InitiatingProcessAccountName, strcat(Name, "@", DnsDomain))

DeviceProcessEvents | where ProcessCommandLine has "DISM.exe" and ProcessCommandLine has "intl" and isnotempty(ProcessCommandLine) | project DeviceName, AccountName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessTokenElevation

union DeviceProcessEvents, DeviceEvents | where ActionType == "ProcessCreated" | where FileName endswith "dism.exe" or InitiatingProcessFileName endswith "dism.exe" // Look for the system-locale enumeration arguments | where (ProcessCommandLine has "/online" and ProcessCommandLine has "/get-intl") or (InitiatingProcessCommandLine has "/online" and InitiatingProcessCommandLine has "/get-intl") // Check for elevated processes | where tolower(ProcessTokenElevation) has "full" or tolower(InitiatingProcessTokenElevation) has "full" or ProcessIntegrityLevel =~ "High" or InitiatingProcessIntegrityLevel =~ "High" | project TimeGenerated, DeviceName, AccountDomain, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, ProcessTokenElevation, InitiatingProcessTokenElevation, ProcessIntegrityLevel, InitiatingProcessIntegrityLevel | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "dism.exe" | where ProcessCommandLine has_all ("/get-intl", "/online") | where ProcessTokenElevation =~ "TokenElevationTypeFull" or ProcessIntegrityLevel =~ "High" | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where tolower(InitiatingProcessFileName) contains "dism.exe" | where tolower(InitiatingProcessCommandLine) contains "/get-intl" | project TimeGenerated, DeviceName, CommandLine=InitiatingProcessCommandLine, TokenElevation=InitiatingProcessTokenElevation