← Back to Explore
sigmamediumHunting
Potentially Suspicious WDAC Policy File Creation
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
Detection Query
selection_target:
TargetFilename|contains: \Windows\System32\CodeIntegrity\
filter_main_images:
Image|endswith:
- \Microsoft.ConfigurationManagement.exe
- \WDAC Wizard.exe
- C:\Program Files\PowerShell\7-preview\pwsh.exe
- C:\Program Files\PowerShell\7\pwsh.exe
- C:\Windows\System32\dllhost.exe
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- C:\Windows\SysWOW64\dllhost.exe
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
filter_main_cli:
- CommandLine|contains|all:
- ConvertFrom-CIPolicy -XmlFilePath
- "-BinaryFilePath "
- CommandLine|contains: CiTool --update-policy
- CommandLine|contains|all:
- Copy-Item -Path
- -Destination
filter_main_system:
Image: System
filter_main_wuauclt:
Image:
- C:\Windows\System32\wuauclt.exe
- C:\Windows\UUS\arm64\wuaucltcore.exe
condition: selection_target and not 1 of filter_main_*
Author
X__Junior
Created
2025-02-07
Data Sources
windowsFile Events
Platforms
windows
References
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
- https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
- https://github.com/logangoins/Krueger/tree/main
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
Tags
attack.defense-evasion
Raw Content
title: Potentially Suspicious WDAC Policy File Creation
id: 1d2de8a6-4803-4fde-b85b-f58f3aa7a705
status: experimental
description: |
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
- https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
- https://github.com/logangoins/Krueger/tree/main
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
author: X__Junior
date: 2025-02-07
modified: 2025-12-03
tags:
- attack.defense-evasion
logsource:
category: file_event
product: windows
detection:
selection_target:
# This is a default location but unfortunately it could be any path configured in Group Policy Management Editor.
# No file extension needed because any extension would work, check first reference.
TargetFilename|contains: '\Windows\System32\CodeIntegrity\'
filter_main_images:
Image|endswith:
- '\Microsoft.ConfigurationManagement.exe' # Replace with full path to avoid false negatives
- '\WDAC Wizard.exe' # Replace with full path to avoid false negatives
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Windows\System32\dllhost.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- 'C:\Windows\SysWOW64\dllhost.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_cli:
- CommandLine|contains|all:
- 'ConvertFrom-CIPolicy -XmlFilePath'
- '-BinaryFilePath '
- CommandLine|contains: 'CiTool --update-policy'
- CommandLine|contains|all:
- 'Copy-Item -Path'
- '-Destination'
filter_main_system:
Image: 'System'
filter_main_wuauclt:
Image:
- 'C:\Windows\System32\wuauclt.exe'
- 'C:\Windows\UUS\arm64\wuaucltcore.exe'
condition: selection_target and not 1 of filter_main_*
falsepositives:
- Administrators and security vendors could leverage WDAC, apply additional filters as needed.
level: medium