Potentially Suspicious WDAC Policy File Creation

Original Source: [Sigma source]
Title: Potentially Suspicious WDAC Policy File Creation
Status: experimental
Description:Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
References:
  -https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
   -https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
   -https://github.com/logangoins/Krueger/tree/main
   -https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide
   -https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script
   -https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
 Author: X__Junior
Date: 2025-02-07
modified:None
Tags:
  • -'attack.defense-evasion'
Logsource:
  • category: file_event
  • product: windows
Detection:
  selection_target:
    TargetFilename|contains: '\Windows\System32\CodeIntegrity\'
  filter_main_images:
    Image|endswith:
      -'\Microsoft.ConfigurationManagement.exe'
      -'\WDAC Wizard.exe'
      -'C:\Program Files\PowerShell\7-preview\pwsh.exe'
      -'C:\Program Files\PowerShell\7\pwsh.exe'
      -'C:\Windows\System32\dllhost.exe'
      -'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
      -'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
      -'C:\Windows\SysWOW64\dllhost.exe'
      -'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
      -'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'

  filter_main_cli:
    - CommandLine|contains|all:
      - 'ConvertFrom-CIPolicy -XmlFilePath'
      - '-BinaryFilePath '
CommandLine|contains:'CiTool --update-policy'     - CommandLine|contains|all:
      - 'Copy-Item -Path'
      - '-Destination'
  condition:selection_target and not 1 of filter_main_*
Falsepositives:
  -Administrators and security vendors could leverage WDAC, apply additional filters as needed.
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.