← Back to Explore
sigmamediumHunting
Use of Wfc.exe
The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
Detection Query
selection:
- Image|endswith: \wfc.exe
- OriginalFileName: wfc.exe
condition: selection
Author
Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
Created
2022-06-01
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1127
Raw Content
title: Use of Wfc.exe
id: 49be8799-7b4d-4fda-ad23-cafbefdebbc5
status: test
description: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-01
tags:
- attack.defense-evasion
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\wfc.exe'
- OriginalFileName: 'wfc.exe'
condition: selection
falsepositives:
- Legitimate use by a software developer
level: medium