Threat Huntmediumtest

Microsoft Workflow Compiler Execution

Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nik Seetharaman, François HubautCreated Wed Jan 16Updated Fri Feb 03419dbf2b-8a9b-4bea-bf99-7544b050ec8dwindows

Hunting Hypothesis

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        - Image|endswith: '\Microsoft.Workflow.Compiler.exe'
        - OriginalFileName: 'Microsoft.Workflow.Compiler.exe'
    condition: selection

False Positives

Legitimate MWC use (unlikely in modern enterprise environments)

References

lolbas-project.github.io

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0002 · Execution

Techniques

T1127 · Trusted Developer Utilities Proxy Execution T1218 · System Binary Proxy Execution

Other

detection.threat-hunting

Rule Metadata

Rule ID

419dbf2b-8a9b-4bea-bf99-7544b050ec8d

Status

test

Level

medium

Type

Threat Hunt

Created

Wed Jan 16

Modified

Fri Feb 03

Author

Nik Seetharaman, François Hubaut

Path

rules-threat-hunting/windows/process_creation/proc_creation_win_microsoft_workflow_compiler_execution.yml

Raw Tags

attack.defense-evasionattack.executionattack.t1127attack.t1218detection.threat-hunting

View on GitHub