From 35d80c39bdb15cc1773f77c9a4f79147dac41176 Mon Sep 17 00:00:00 2001 From: Andreas Braathen <103580973+netgrain@users.noreply.github.com> Date: Mon, 22 Sep 2025 11:48:53 +0200 Subject: [PATCH] Merge PR #5175 from @netgrain - Add `WDAC Policy File Creation In CodeIntegrity Folder` new: WDAC Policy File Creation In CodeIntegrity Folder --------- Co-authored-by: Andreas Braathen Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> --- ...olicy_creation_in_codeintegrity_folder.yml | 29 +++++++++++++++++++ tests/logsource.json | 2 +- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml diff --git a/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml b/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml new file mode 100644 index 000000000..54ae1b45b --- /dev/null +++ b/rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml @@ -0,0 +1,29 @@ +title: WDAC Policy File Creation In CodeIntegrity Folder +id: 121b25f7-b9d6-4b37-afa0-cba317ec52f3 +status: experimental +description: | + Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment. +references: + - https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/ + - https://www.virustotal.com/gui/file/d2a4f52a9923336f119a52e531bbb1e66f18322fd8efa9af1a64b94f4d36dc97 +author: Andreas Braathen (mnemonic.io) +date: 2025-01-30 +tags: + - attack.defense-evasion + - attack.t1562.001 + - detection.threat-hunting +logsource: + category: file_event + product: windows + definition: 'Requirements: By default the file_event log source might not contain the IntegrityLevel of the Process. It should be collected in order to use this rule' +detection: + selection: + TargetFilename|contains: ':\Windows\System32\CodeIntegrity\' + TargetFilename|endswith: + - '.cip' + - '.p7b' + IntegrityLevel: 'High' + condition: selection +falsepositives: + - May occur legitimately as part of admin activity, but rarely with interactive elevation. +level: medium diff --git a/tests/logsource.json b/tests/logsource.json index 8615dec66..b0cb083b9 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -436,7 +436,7 @@ "SourceParentCommandLine", "TargetCommandLine", "TargetParentProcessId", "TargetParentImage", "TargetParentCommandLine", "IsInitialThread", "RemoteCreation"], "file_delete": ["CommandLine", "ParentImage", "ParentCommandLine"], - "file_event": ["CommandLine", "ParentImage", "ParentCommandLine", "MagicHeader"], + "file_event": ["CommandLine", "IntegrityLevel", "MagicHeader", "ParentCommandLine", "ParentImage"], "image_load": ["CommandLine"], "process_access": ["SourceCommandLine", "CallTraceExtended"], "file_access":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "TargetFilename"],