Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumexperimental

Potentially Suspicious WDAC Policy File Creation

Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
X__JuniorCreated Fri Feb 07Updated Wed Dec 031d2de8a6-4803-4fde-b85b-f58f3aa7a705windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic5 selectors
detection:
    selection_target:
        # This is a default location but unfortunately it could be any path configured in Group Policy Management Editor.
        # No file extension needed because any extension would work, check first reference.
        TargetFilename|contains: '\Windows\System32\CodeIntegrity\'
    filter_main_images:
        Image|endswith:
            - '\Microsoft.ConfigurationManagement.exe' # Replace with full path to avoid false negatives
            - '\WDAC Wizard.exe' # Replace with full path to avoid false negatives
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\System32\dllhost.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\dllhost.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_main_cli:
        - CommandLine|contains|all:
              - 'ConvertFrom-CIPolicy -XmlFilePath'
              - '-BinaryFilePath '
        - CommandLine|contains: 'CiTool --update-policy'
        - CommandLine|contains|all:
              - 'Copy-Item -Path'
              - '-Destination'
    filter_main_system:
        Image: 'System'
    filter_main_wuauclt:
        Image:
            - 'C:\Windows\System32\wuauclt.exe'
            - 'C:\Windows\UUS\arm64\wuaucltcore.exe'
    condition: selection_target and not 1 of filter_main_*
False Positives

Administrators and security vendors could leverage WDAC, apply additional filters as needed.

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
beierle.win
3
Resolving title…
github.com
4
Resolving title…
learn.microsoft.com
5
Resolving title…
learn.microsoft.com
6
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
1d2de8a6-4803-4fde-b85b-f58f3aa7a705
Status
experimental
Level
medium
Type
Detection
Created
Fri Feb 07
Modified
Wed Dec 03
Author
X__Junior
Path
rules/windows/file/file_event/file_event_win_susp_wdac_policy_creation.yml
Raw Tags
attack.defense-evasion
View on GitHub