administrators and security vendors could leverage wdac, apply additional filters as needed.

Techniques

Sample rules

Potentially Suspicious WDAC Policy File Creation

source: sigma
technicques:

Description

Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.

Detection logic

condition: selection_target and not 1 of filter_main_*
filter_main_cli:
- CommandLine|contains|all:
  - ConvertFrom-CIPolicy -XmlFilePath
  - '-BinaryFilePath '
- CommandLine|contains: CiTool --update-policy
- CommandLine|contains|all:
  - Copy-Item -Path
  - -Destination
filter_main_images:
  Image|endswith:
  - \Microsoft.ConfigurationManagement.exe
  - \WDAC Wizard.exe
  - C:\Program Files\PowerShell\7-preview\pwsh.exe
  - C:\Program Files\PowerShell\7\pwsh.exe
  - C:\Windows\System32\dllhost.exe
  - C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
  - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  - C:\Windows\SysWOW64\dllhost.exe
  - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
  - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
selection_target:
  TargetFilename|contains: \Windows\System32\CodeIntegrity\