Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumexperimental

WDAC Policy File Creation In CodeIntegrity Folder

Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Andreas Braathen (mnemonic.io)Created Thu Jan 30121b25f7-b9d6-4b37-afa0-cba317ec52f3windows
Hunting Hypothesis
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Definition

Requirements: By default the file_event log source might not contain the IntegrityLevel of the Process. It should be collected in order to use this rule

Detection Logic
Detection Logic1 selector
detection:
    selection:
        TargetFilename|contains: ':\Windows\System32\CodeIntegrity\'
        TargetFilename|endswith:
            - '.cip'
            - '.p7b'
        IntegrityLevel: 'High'
    condition: selection
False Positives

May occur legitimately as part of admin activity, but rarely with interactive elevation.

References
1
Resolving title…
beierle.win
2
Resolving title…
virustotal.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
121b25f7-b9d6-4b37-afa0-cba317ec52f3
Status
experimental
Level
medium
Type
Threat Hunt
Created
Thu Jan 30
Author
Andreas Braathen (mnemonic.io)
Path
rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml
Raw Tags
attack.defense-evasionattack.t1562.001detection.threat-hunting
View on GitHub