Potentially Suspicious WDAC Policy File Creation
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
Sigma rule (View on GitHub)
1title: Potentially Suspicious WDAC Policy File Creation
2id: 1d2de8a6-4803-4fde-b85b-f58f3aa7a705
3status: experimental
4description: |
5 Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
6references:
7 - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
8 - https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
9 - https://github.com/logangoins/Krueger/tree/main
10 - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide
11 - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script
12 - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
13author: X__Junior
14date: 2025-02-07
15tags:
16 - attack.defense-evasion
17logsource:
18 category: file_event
19 product: windows
20detection:
21 selection_target:
22 # This is a default location but unfortunately it could be any path configured in Group Policy Management Editor.
23 # No file extension needed because any extension would work, check first reference.
24 TargetFilename|contains: '\Windows\System32\CodeIntegrity\'
25 filter_main_images:
26 Image|endswith:
27 - '\Microsoft.ConfigurationManagement.exe' # Replace with full path to avoid false negatives
28 - '\WDAC Wizard.exe' # Replace with full path to avoid false negatives
29 - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
30 - 'C:\Program Files\PowerShell\7\pwsh.exe'
31 - 'C:\Windows\System32\dllhost.exe'
32 - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
33 - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
34 - 'C:\Windows\SysWOW64\dllhost.exe'
35 - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
36 - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
37 filter_main_cli:
38 - CommandLine|contains|all:
39 - 'ConvertFrom-CIPolicy -XmlFilePath'
40 - '-BinaryFilePath '
41 - CommandLine|contains: 'CiTool --update-policy'
42 - CommandLine|contains|all:
43 - 'Copy-Item -Path'
44 - '-Destination'
45 condition: selection_target and not 1 of filter_main_*
46falsepositives:
47 - Administrators and security vendors could leverage WDAC, apply additional filters as needed.
48level: medium
References
-
App Control for Business policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide.
Read More -
The Concept Windows Defender Application Control (WDAC) is a technology introduced with and automatically enabled by default on Windows 10+ and Windows Server 2016+ that allows organizations fine g...
Read More -
-
-
Use scripts to deploy App Control for Business policies. Learn how with this step-by-step guide.
Read More -
You can use Microsoft Configuration Manager to configure App Control for Business. Learn how with this step-by-step guide.
Read More
Related rules
- Change Winevt Channel Access Permission Via Registry
- Disable Windows Event Logging Via Registry
- Displaying Hidden Files Feature Disabled
- EVTX Created In Uncommon Location
- Kernel Memory Dump Via LiveKD