Add Microsoft Workflow Compiler Sysmon Detection
This commit is contained in:
Nik Seetharaman
@@ -0,0 +1,23 @@
|
||||
title: Microsoft Workflow Compiler
|
||||
status: experimental
|
||||
description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.execution
|
||||
author: Nik Seetharaman
|
||||
references:
|
||||
- https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
# Description contains MWC even if file has been renamed.
|
||||
selection1:
|
||||
EventID: 1
|
||||
Description: '*Microsoft.Workflow.Compiler*'
|
||||
fields:
|
||||
- CommandLine
|
||||
- ParentCommandLine
|
||||
falsepositives:
|
||||
- Legitimate MWC use (unlikely in modern enterprise environments)
|
||||
level: high
|
||||
Reference in New Issue
Block a user