Detectionmediumtest

Use of Wfc.exe

The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Christopher Peacock, SCYTHECreated Wed Jun 0149be8799-7b4d-4fda-ad23-cafbefdebbc5windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        - Image|endswith: '\wfc.exe'
        - OriginalFileName: 'wfc.exe'
    condition: selection

False Positives

Legitimate use by a software developer

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

49be8799-7b4d-4fda-ad23-cafbefdebbc5

Status

test

Level

medium

Type

Detection

Created

Wed Jun 01

Author

Path

rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml

Raw Tags

attack.defense-evasionattack.t1127