From e371d945ed80bbb13aa40227cc3d2b2c0779f8bd Mon Sep 17 00:00:00 2001
From: Nik Seetharaman <5733460+nikseetharaman@users.noreply.github.com>
Date: Sat, 18 Aug 2018 00:53:28 -0500
Subject: [PATCH] Add Microsoft Workflow Compiler Sysmon Detection

---
 .../sysmon/sysmon_workflow_compiler.yml       | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_workflow_compiler.yml

diff --git a/rules/windows/sysmon/sysmon_workflow_compiler.yml b/rules/windows/sysmon/sysmon_workflow_compiler.yml
new file mode 100644
index 000000000..b4b09cd9e
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_workflow_compiler.yml
@@ -0,0 +1,23 @@
+title: Microsoft Workflow Compiler
+status: experimental
+description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
+tags:
+    - attack.defense_evasion
+    - attack.execution
+author: Nik Seetharaman
+references:
+    - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    # Description contains MWC even if file has been renamed.
+    selection1:
+        EventID: 1
+        Description: '*Microsoft.Workflow.Compiler*'
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Legitimate MWC use (unlikely in modern enterprise environments)
+level: high