An attacker may create a WDAC policy file from an unusual process to bypass endpoint protections and execute malicious code. SOC teams should proactively hunt for this behavior to identify potential attempts to disable EDR/AV components and maintain persistence in Azure Sentinel environments.
Detection Rule
title: Potentially Suspicious WDAC Policy File Creation
id: 1d2de8a6-4803-4fde-b85b-f58f3aa7a705
status: experimental
description: |
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
- https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
- https://github.com/logangoins/Krueger/tree/main
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
author: X__Junior
date: 2025-02-07
modified: 2025-12-03
tags:
- attack.defense-evasion
logsource:
category: file_event
product: windows
detection:
selection_target:
# This is a default location but unfortunately it could be any path configured in Group Policy Management Editor.
# No file extension needed because any extension would work, check first reference.
TargetFilename|contains: '\Windows\System32\CodeIntegrity\'
filter_main_images:
Image|endswith:
- '\Microsoft.ConfigurationManagement.exe' # Replace with full path to avoid false negatives
- '\WDAC Wizard.exe' # Replace with full path to avoid false negatives
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Windows\System32\dllhost.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- 'C:\Windows\SysWOW64\dllhost.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_cli:
- CommandLine|contains|all:
- 'ConvertFrom-CIPolicy -XmlFilePath'
- '-BinaryFilePath '
- CommandLine|contains: 'CiTool --update-policy'
- CommandLine|contains|all:
- 'Copy-Item -Path'
- '-Destination'
filter_main_system:
Image: 'System'
filter_main_wuauclt:
Image:
- 'C:\Windows\System32\wuauclt.exe'
- 'C:\Windows\UUS\arm64\wuaucltcore.exe'
condition: selection_target and not 1 of filter_main_*
falsepositives:
- Administrators and security vendors could leverage WDAC, apply additional filters as needed.
level: medium
imFileEvent
| where TargetFileName contains "\\Windows\\System32\\CodeIntegrity\\" and (not(((TargetFilePath endswith "\\Microsoft.ConfigurationManagement.exe" or TargetFilePath endswith "\\WDAC Wizard.exe" or TargetFilePath endswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or TargetFilePath endswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or TargetFilePath endswith "C:\\Windows\\System32\\dllhost.exe" or TargetFilePath endswith "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or TargetFilePath endswith "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or TargetFilePath endswith "C:\\Windows\\SysWOW64\\dllhost.exe" or TargetFilePath endswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or TargetFilePath endswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe") or ((ActingProcessCommandLine contains "ConvertFrom-CIPolicy -XmlFilePath" and ActingProcessCommandLine contains "-BinaryFilePath ") or ActingProcessCommandLine contains "CiTool --update-policy" or (ActingProcessCommandLine contains "Copy-Item -Path" and ActingProcessCommandLine contains "-Destination")) or TargetFilePath =~ "System" or (TargetFilePath in~ ("C:\\Windows\\System32\\wuauclt.exe", "C:\\Windows\\UUS\\arm64\\wuaucltcore.exe")))))Scenario: A system administrator is creating a WDAC policy file as part of a routine security hardening task using Microsoft Baseline Security Analyzer (MSBAS).
Filter/Exclusion: Exclude processes associated with msbas.exe or any process initiated from the Security Compliance Manager or Group Policy Management Console (GPMC).
Scenario: A scheduled job runs a script that generates a WDAC policy file to enforce application control on a regular basis, such as via Task Scheduler or PowerShell scripts.
Filter/Exclusion: Exclude processes launched by Task Scheduler (e.g., schtasks.exe) or scripts with known legitimate paths like C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
Scenario: A third-party tool like Microsoft Intune or Microsoft Defender for Endpoint is deploying a WDAC policy as part of its endpoint security configuration.
Filter/Exclusion: Exclude processes associated with Microsoft Intune (e.g., intunewds.exe) or Microsoft Defender for Endpoint (e.g., mde.exe or mmpolicy.exe).
Scenario: An IT team is using Windows PowerShell to dynamically generate a WDAC policy for testing purposes, such as with the Add-WdacPolicy cmdlet.
Filter/Exclusion: Exclude processes initiated from PowerShell with the Add-WdacPolicy cmdlet or any script located in a known admin script directory like C:\Windows\System32\WindowsPowerShell\v1.0\.
Scenario: A system update or patching tool like Windows Update or System Center Configuration Manager (SCCM) generates a WDAC policy as part of its deployment process.
Filter/Exclusion: Exclude processes associated with Windows Update