From 8ff159abb744f1791fa35e552fed2b359ad22c87 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Thu, 29 Dec 2022 00:22:39 -0500 Subject: [PATCH] Update Wfc.yml with Sigma (#223) * Update Wfc.yml * Update acknowledgement * Update Wfc.yml * fix line feed issue after conflict Co-authored-by: bohops --- yml/OtherMSBinaries/Wfc.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/OtherMSBinaries/Wfc.yml b/yml/OtherMSBinaries/Wfc.yml index b9de32f..e66ddb8 100644 --- a/yml/OtherMSBinaries/Wfc.yml +++ b/yml/OtherMSBinaries/Wfc.yml @@ -17,6 +17,7 @@ Code_Sample: - Code: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ Detection: - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml - IOC: As a Windows SDK binary, execution on a system may be suspicious Resources: - Link: https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/