{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft.workflow.compiler.exe/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Microsoft.Workflow.Compiler.exe"],"_cs_severities":["high"],"_cs_tags":["lolbin","defense-evasion","living-off-the-land","masquerading"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the suspicious renaming of the Microsoft Workflow Compiler (microsoft.workflow.compiler.exe), a legitimate but rarely used executable typically found in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319. Attackers may rename this file to masquerade malicious activity and bypass security solutions that rely on file name-based detection. This technique can be employed by various threat actors, including ransomware groups like BlackByte, to execute arbitrary code, escalate privileges, and maintain persistence on compromised systems. The LOLBAS Project documents this binary as a potential avenue for malicious code execution. This activity is significant because it represents a living-off-the-land tactic (LOTL) that is harder to detect than custom malware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies Microsoft.Workflow.Compiler.exe in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319.\u003c/li\u003e\n\u003cli\u003eThe attacker renames Microsoft.Workflow.Compiler.exe to a different name (e.g., svchost.exe) using a command-line tool like \u003ccode\u003erename\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed executable with malicious parameters or a payload.\u003c/li\u003e\n\u003cli\u003eThe renamed Microsoft Workflow Compiler executes arbitrary code, bypassing file name-based security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves privilege escalation by exploiting the trust associated with the original executable.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by scheduling the renamed executable to run automatically.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to move laterally, exfiltrate data, or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful renaming and execution of the Microsoft Workflow Compiler can lead to significant compromise, allowing attackers to bypass security measures and execute arbitrary code. This can lead to privilege escalation, persistence, and further malicious activities such as data theft or ransomware deployment. The BlackByte ransomware group has been known to use similar LOLBIN techniques, and the ease of renaming the file makes it a popular choice for attackers looking to evade detection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events (Sysmon EventID 1 or Windows Event Log Security 4688) for the execution of renamed Microsoft Workflow Compiler processes using the provided Sigma rule \u003ccode\u003eDetect Suspicious Microsoft Workflow Compiler Execution\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions to collect and analyze process telemetry, including process names, original file names, parent processes, and command-line arguments.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Microsoft Workflow Compiler Rename\u003c/code\u003e to identify instances where \u003ccode\u003eMicrosoft.Workflow.Compiler.exe\u003c/code\u003e is renamed.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, paying close attention to the parent processes, command-line arguments, and destination hosts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-workflow-compiler-rename/","summary":"Detection of the renaming of microsoft.workflow.compiler.exe, a technique used by attackers to evade security controls and potentially execute arbitrary code for privilege escalation or persistence.","title":"Suspicious Microsoft Workflow Compiler Rename","url":"https://feed.craftedsignal.io/briefs/2024-01-03-workflow-compiler-rename/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft.Workflow.Compiler.exe","version":"https://jsonfeed.org/version/1.1"}