Windows DISM Used to Remove Windows Defender

This threat brief addresses the use of Deployment Image Servicing and Management (DISM) to remove Windows Defender. Adversaries may attempt to disable or remove Windows Defender to evade detection and carry out further malicious actions undetected. This activity is significant because a disabled Defender can lead to persistent access, execution of additional payloads, and exfiltration of sensitive data without interruption. The original Splunk ES/CU analytic was published in May 2026, highlighting the continued relevance of this technique. This brief provides updated detection guidance for security teams.

Attack Chain

1. An attacker gains initial access to the target system (e.g., via compromised credentials or exploiting a vulnerability).
2. The attacker executes dism.exe with specific parameters to disable features.
3. The command includes the /online parameter to operate on the running operating system.
4. The command includes /disable-feature to disable a specific feature.
5. The featurename:Windows-Defender parameter targets the Windows Defender feature for removal.
6. The command includes the /remove parameter to completely remove the targeted feature.
7. With Windows Defender removed, the attacker executes malicious payloads without immediate detection.
8. The attacker achieves their objective, such as data exfiltration, lateral movement, or ransomware deployment.

Impact

Successful removal of Windows Defender can lead to complete compromise of the affected endpoint. An attacker gains the ability to execute any malicious code without triggering antivirus alerts, leading to data theft, system compromise, or ransomware deployment. The referenced DFIR Report (2020) describes a similar technique used in Pysa/Mespinoza ransomware attacks, indicating that real-world actors employ this evasion strategy.

Recommendation

• Deploy the Sigma rule Detect DISM Usage to Remove Windows Defender to your SIEM and tune for your environment to detect the execution of dism.exe with parameters used to remove Windows Defender.
• Enable Sysmon process-creation logging (Event ID 1) to provide the necessary data for the Sigma rule.
• Investigate any instances of dism.exe executing with command-line arguments containing /online, /disable-feature, Windows-Defender, and /remove to identify potential malicious activity.