Potentially Suspicious WDAC Policy File Creation
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
Sigma rule (View on GitHub)
1title: Potentially Suspicious WDAC Policy File Creation
2id: 1d2de8a6-4803-4fde-b85b-f58f3aa7a705
3status: experimental
4description: |
5 Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
6references:
7 - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
8 - https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
9 - https://github.com/logangoins/Krueger/tree/main
10 - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide
11 - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script
12 - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
13author: X__Junior
14date: 2025-02-07
15modified: 2025-04-21
16tags:
17 - attack.defense-evasion
18logsource:
19 category: file_event
20 product: windows
21detection:
22 selection_target:
23 # This is a default location but unfortunately it could be any path configured in Group Policy Management Editor.
24 # No file extension needed because any extension would work, check first reference.
25 TargetFilename|contains: '\Windows\System32\CodeIntegrity\'
26 filter_main_images:
27 Image|endswith:
28 - '\Microsoft.ConfigurationManagement.exe' # Replace with full path to avoid false negatives
29 - '\WDAC Wizard.exe' # Replace with full path to avoid false negatives
30 - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
31 - 'C:\Program Files\PowerShell\7\pwsh.exe'
32 - 'C:\Windows\System32\dllhost.exe'
33 - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
34 - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
35 - 'C:\Windows\SysWOW64\dllhost.exe'
36 - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
37 - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
38 filter_main_cli:
39 - CommandLine|contains|all:
40 - 'ConvertFrom-CIPolicy -XmlFilePath'
41 - '-BinaryFilePath '
42 - CommandLine|contains: 'CiTool --update-policy'
43 - CommandLine|contains|all:
44 - 'Copy-Item -Path'
45 - '-Destination'
46 filter_main_system:
47 Image: 'System'
48 condition: selection_target and not 1 of filter_main_*
49falsepositives:
50 - Administrators and security vendors could leverage WDAC, apply additional filters as needed.
51level: medium
References
-
App Control for Business policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide.
Read More -
The Concept Windows Defender Application Control (WDAC) is a technology introduced with and automatically enabled by default on Windows 10+ and Windows Server 2016+ that allows organizations fine g...
Read More -
-
-
Use scripts to deploy App Control for Business policies. Learn how with this step-by-step guide.
Read More -
You can use Microsoft Configuration Manager to configure App Control for Business. Learn how with this step-by-step guide.
Read More
Related rules
- CreateDump Process Dump
- DumpMinitool Execution
- HackTool - HandleKatz Duplicating LSASS Handle
- HackTool - XORDump Execution
- Potential SysInternals ProcDump Evasion