Question Analysis

// DISM will run as dwm.exe if launched by system, which will run at medium IL. Admin privilege is provided by legitimate autologin technique via Task Scheduler to run dwm as system in admin context, and uicleanup runs dwm as the session shell. DISM cli parameters taken from process name and not process path for techniques like "dism" in Windows/Temp appearing as "dismhost.exe" (or in other directories) these never show as command line activity for any event sources. DeviceProcessEvents | where (ProcessCommandLine contains "/Online" and (ProcessCommandLine contains "/Get-Intl" or ProcessCommandLine contains "/Get-UserIntlDefaults" or ProcessCommandLine contains "/Get-InputLocales" or ProcessCommandLine contains "/Get-SystemLocales")) | project TimeGenerated, ActionType, DeviceName, DeviceId, FileName, ProcessCommandLine, FolderPath, InitiatingProcessAccountName, InitiatingProcessLogonId, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessFolderPath, ProcessId | distinct TimeGenerated, ActionType, DeviceName, DeviceId, FileName, ProcessCommandLine, FolderPath, InitiatingProcessAccountName, InitiatingProcessLogonId, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessFolderPath, ProcessId //deduping events in case of parallel telemetry | extend Timestamp = TimeGenerated, HostName = tostring(split(DeviceName, ".")[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, "."), 1, -1), ".")) | extend Name = tostring(split(InitiatingProcessAccountName, "@", 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountName, "@", 1)[0]) | extend username = iff(isnotempty(UPNSuffix), InitiatingProcessAccountName, strcat(Name, "@", DnsDomain))

DeviceProcessEvents | where ProcessCommandLine has "DISM.exe" and ProcessCommandLine has "intl" and isnotempty(ProcessCommandLine) | project DeviceName, AccountName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessTokenElevation

union DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceRegistryEvents | extend ProcessCmd = coalesce(tolower(ProcessCommandLine), tolower(InitiatingProcessCommandLine), "") | extend File = coalesce(tolower(FileName), tolower(InitiatingProcessFileName), "") // Quick pre-filter to reduce noise: any mention of dism or intl in command-line/file | where File endswith "dism.exe" or ProcessCmd contains "dism" or ProcessCmd contains "intl" or ProcessCmd contains "get-intl" or ProcessCmd contains "get intl" // More specific patterns to capture DISM + Get-Intl variants (allowing up to ~100 chars between tokens) | where ProcessCmd matches regex @"\bdism\b(.{0,100})get-?intl" or ProcessCmd matches regex @"get-?intl(.{0,100})\bdism\b" or (File endswith "dism.exe" and ProcessCmd contains "intl") // Require elevated/high integrity token (adjust as needed if your environment uses different values) | where tolower(tostring(ProcessTokenElevation)) contains "elevated" or tolower(tostring(InitiatingProcessTokenElevation)) contains "elevated" or tolower(ProcessIntegrityLevel) contains "high" or tolower(InitiatingProcessIntegrityLevel) contains "high" | project TimeGenerated, DeviceName, FileName, FolderPath, ProcessId, InitiatingProcessId, ProcessCommandLine, InitiatingProcessCommandLine, ProcessCmd, InitiatingProcessAccountName, InitiatingProcessAccountDomain, ProcessTokenElevation, InitiatingProcessTokenElevation, ProcessIntegrityLevel, InitiatingProcessIntegrityLevel, ReportId | order by TimeGenerated desc

union DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceRegistryEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or isnotempty(FileName) or isnotempty(InitiatingProcessFileName) // Narrow to DISM invocations | where tolower(ProcessCommandLine) contains "dism" or tolower(InitiatingProcessCommandLine) contains "dism" or tolower(FileName) contains "dism" or tolower(InitiatingProcessFileName) contains "dism" // Specifically look for the Get-Intl / getintl switch used to enumerate international/locale settings | where tolower(ProcessCommandLine) contains "get-intl" or tolower(ProcessCommandLine) contains "getintl" or tolower(InitiatingProcessCommandLine) contains "get-intl" or tolower(InitiatingProcessCommandLine) contains "getintl" // Require evidence the process was elevated (token elevation or high integrity) | where tostring(ProcessTokenElevation) has "Elevat" or tostring(InitiatingProcessTokenElevation) has "Elevat" or tolower(ProcessIntegrityLevel) has "high" or tolower(InitiatingProcessTokenElevation) has "elevat" // Prefer the actual command line seen; fall back to initiating process command line if needed | extend ExactCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | project TimeGenerated, DeviceName, FileName, ProcessId, ExactCommandLine, ProcessTokenElevation, ProcessIntegrityLevel, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, AccountName, ReportId | distinct ExactCommandLine, DeviceName, FileName, ProcessId, ProcessTokenElevation, ProcessIntegrityLevel, InitiatingProcessFileName, InitiatingProcessAccountName, AccountName, ReportId, TimeGenerated | order by TimeGenerated desc

DeviceProcessEvents | where (tolower(InitiatingProcessFileName) == "dism.exe" or tolower(ProcessCommandLine) contains "dism" or tolower(InitiatingProcessCommandLine) contains "dism") | where (tolower(InitiatingProcessCommandLine) contains "/get-intl" or tolower(InitiatingProcessCommandLine) contains "/getintl" or tolower(InitiatingProcessCommandLine) contains "get-intl" or tolower(InitiatingProcessCommandLine) contains "getintl" or tolower(ProcessCommandLine) contains "/get-intl" or tolower(ProcessCommandLine) contains "/getintl" or tolower(ProcessCommandLine) contains "get-intl" or tolower(ProcessCommandLine) contains "getintl") | where (tolower(InitiatingProcessTokenElevation) contains "elev" or tolower(InitiatingProcessTokenElevation) contains "admin" or tolower(InitiatingProcessTokenElevation) contains "high" or tolower(InitiatingProcessTokenElevation) contains "system") | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessTokenElevation, ProcessCommandLine, ProcessId | sort by TimeGenerated desc

union DeviceProcessEvents, DeviceEvents | where ActionType == "ProcessCreated" | where FileName endswith "dism.exe" or InitiatingProcessFileName endswith "dism.exe" // Look for the system-locale enumeration arguments | where (ProcessCommandLine has "/online" and ProcessCommandLine has "/get-intl") or (InitiatingProcessCommandLine has "/online" and InitiatingProcessCommandLine has "/get-intl") // Check for elevated processes | where tolower(ProcessTokenElevation) has "full" or tolower(InitiatingProcessTokenElevation) has "full" or ProcessIntegrityLevel =~ "High" or InitiatingProcessIntegrityLevel =~ "High" | project TimeGenerated, DeviceName, AccountDomain, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, ProcessTokenElevation, InitiatingProcessTokenElevation, ProcessIntegrityLevel, InitiatingProcessIntegrityLevel | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "dism.exe" | where ProcessCommandLine has_all ("/get-intl", "/online") | where ProcessTokenElevation =~ "TokenElevationTypeFull" or ProcessIntegrityLevel =~ "High" | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" // keep only process start telemetry | where FileName =~ "dism.exe" // DISM utility | where ProcessCommandLine contains "/get-intl" and ProcessCommandLine contains "/online" // ---- elevation checks (some tenants fill one or the other) ---- | where ProcessTokenElevation == "Elevated" or ProcessIntegrityLevel in ("High", "System") // -------------------------------------------------------------- | project TimeGenerated, DeviceName, AccountDomain, AccountName, ProcessCommandLine, // exact command line that was run FolderPath, ProcessId, ProcessIntegrityLevel, ProcessTokenElevation, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256, ReportId | order by TimeGenerated desc

DeviceProcessEvents | where tolower(InitiatingProcessFileName) contains "dism.exe" | where tolower(InitiatingProcessCommandLine) contains "/get-intl" | project TimeGenerated, DeviceName, CommandLine=InitiatingProcessCommandLine, TokenElevation=InitiatingProcessTokenElevation