Detection rules › Sigma
Potentially Suspicious WDAC Policy File Creation
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: selection_target
TargetFilename|contains: '\Windows\System32\CodeIntegrity\'
Stage 2: not 1 of filter_main_*
or:
CommandLine|contains: '-BinaryFilePath '
CommandLine|contains: 'ConvertFrom-CIPolicy -XmlFilePath'
CommandLine|contains: -Destination
CommandLine|contains: 'Copy-Item -Path'
CommandLine|contains: 'CiTool --update-policy'
Image|endswith: 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
Image|endswith: 'C:\Program Files\PowerShell\7\pwsh.exe'
Image|endswith: 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
Image|endswith: 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
Image|endswith: 'C:\Windows\SysWOW64\dllhost.exe'
Image|endswith: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Image|endswith: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
Image|endswith: 'C:\Windows\System32\dllhost.exe'
Image|endswith: '\Microsoft.ConfigurationManagement.exe'
Image|endswith: '\WDAC Wizard.exe'
Image: 'C:\Windows\System32\wuauclt.exe'
Image: 'C:\Windows\UUS\arm64\wuaucltcore.exe'
Image: System
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
Image | eq |
|
TargetFilename | match |
|