Techniques
Sample rules
Microsoft Workflow Compiler Execution
- source: sigma
- technicques:
- t1127
- t1218
Description
Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
Detection logic
condition: selection
selection:
- Image|endswith: \Microsoft.Workflow.Compiler.exe
- OriginalFileName: Microsoft.Workflow.Compiler.exe