Sample rules
Use of Wfc.exe
- source: sigma
- technicques:
- t1127
Description
The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft’s recommended block rules.
Detection logic
condition: selection
selection:
- Image|endswith: \wfc.exe
- OriginalFileName: wfc.exe
Use of FSharp Interpreters
- source: sigma
- technicques:
- t1059
Description
Detects the execution of FSharp Interpreters “FsiAnyCpu.exe” and “FSi.exe” Both can be used for AWL bypass and to execute F# code via scripts or inline.
Detection logic
condition: selection
selection:
- Image|endswith:
- \fsi.exe
- \fsianycpu.exe
- OriginalFileName:
- fsi.exe
- fsianycpu.exe