sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Analytic for WDAC Policy abuse

Open netgrain opened this issue 11 months ago • 2 comments

Summary of the Pull Request

Adds analytic to hunt for abuse of Windows Defender Application Control (WDAC) policies in order to e.g. silence EDR components. An adversary would likely perform this in privileged mode (not system), which also significantly reduces FP ratio.

See also https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/

Changelog

  • new: WDAC Policy File Creation In CodeIntegrity Folder

Example Log Event

(Microsoft Defender XDR)

{
  "ActionType": "FileCreated",
  "FileName": "{1293307f-f66a-498a-bba9-a1dbc31723cf}.CIP",
  "FolderPath": "C:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\{1293307f-f66a-498a-bba9-a1dbc31723cf}.CIP",
  "InitiatingProcessFolderPath": "c:\\windows\\system32\\dllhost.exe",
  "InitiatingProcessCommandLine": "DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}",
  "InitiatingProcessIntegrityLevel": "High",
  "InitiatingProcessTokenElevation": "TokenElevationTypeFull",
  "RequestProtocol": "Local",
}

netgrain avatar Jan 30 '25 11:01 netgrain

@frack113 can you get this field added to the validator so that the CI passes?

nasbench avatar Feb 25 '25 21:02 nasbench

Need to change the file name as it is a duplicate.

frack113 avatar Feb 28 '25 15:02 frack113

I rebased the branch with latest sigma master branch to solve mitre tags related issue because they were deprecated.

image

swachchhanda000 avatar Sep 05 '25 06:09 swachchhanda000