← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potentially Suspicious WDAC Policy File Creation

Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.

Quality
58
FP risk
Forks
0
Views
0
Rule sourcerules/windows/file/file_event/file_event_win_susp_wdac_policy_creation.yml
title: Potentially Suspicious WDAC Policy File Creation
id: 1d2de8a6-4803-4fde-b85b-f58f3aa7a705
status: experimental
description: |
    Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
references:
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
    - https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
    - https://github.com/logangoins/Krueger/tree/main
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
author: X__Junior
date: 2025-02-07
modified: 2025-12-03
tags:
    - attack.defense-evasion
logsource:
    category: file_event
    product: windows
detection:
    selection_target:
        # This is a default location but unfortunately it could be any path configured in Group Policy Management Editor.
        # No file extension needed because any extension would work, check first reference.
        TargetFilename|contains: '\Windows\System32\CodeIntegrity\'
    filter_main_images:
        Image|endswith:
            - '\Microsoft.ConfigurationManagement.exe' # Replace with full path to avoid false negatives
            - '\WDAC Wizard.exe' # Replace with full path to avoid false negatives
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\System32\dllhost.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\dllhost.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_main_cli:
        - CommandLine|contains|all:
              - 'ConvertFrom-CIPolicy -XmlFilePath'
              - '-BinaryFilePath '
        - CommandLine|contains: 'CiTool --update-policy'
        - CommandLine|contains|all:
              - 'Copy-Item -Path'
              - '-Destination'
    filter_main_system:
        Image: 'System'
    filter_main_wuauclt:
        Image:
            - 'C:\Windows\System32\wuauclt.exe'
            - 'C:\Windows\UUS\arm64\wuaucltcore.exe'
    condition: selection_target and not 1 of filter_main_*
falsepositives:
    - Administrators and security vendors could leverage WDAC, apply additional filters as needed.
level: medium