Use of Wfc.exe
The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
Sigma rule (View on GitHub)
1title: Use of Wfc.exe
2id: 49be8799-7b4d-4fda-ad23-cafbefdebbc5
3status: test
4description: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/
7 - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
8author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
9date: 2022/06/01
10tags:
11 - attack.defense_evasion
12 - attack.t1127
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\wfc.exe'
19 - OriginalFileName: 'wfc.exe'
20 condition: selection
21falsepositives:
22 - Legitimate use by a software developer
23level: medium
References
Related rules
- Ilasm Lolbin Use Compile C-Sharp
- JSC Convert Javascript To Executable
- Kavremover Dropped Binary LOLBIN Usage
- Node Process Executions
- Remote Thread Creation Ttdinject.exe Proxy