{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/application-control/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["defense-impairment","wdac","application-control","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief details a technique where attackers create or modify Windows Defender Application Control (WDAC) policies from non-standard or unauthorized processes. WDAC is a security feature in Windows designed to control which applications are allowed to run on a system. While legitimate processes (like PowerShell, Configuration Manager, or WDAC Wizard) typically manage these policies, an adversary gaining initial access could abuse this mechanism. By crafting and deploying a malicious WDAC policy, an attacker can effectively disable or bypass existing security controls, such as EDR or AV solutions, by whitelisting their own malicious payloads and blacklisting security agent components. This allows the attacker to execute their tools unimpeded, significantly impairing the victim's ability to detect and respond to ongoing intrusions. The detection focuses on file creation events in the \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\\u003c/code\u003e directory by processes not typically associated with WDAC policy management.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to a significant degradation of endpoint security posture. By weaponizing WDAC policies, attackers can bypass security software, allowing for unimpeded execution of malware, credential theft, data exfiltration, or further lateral movement. The primary impact is the loss of visibility and control for security teams, rendering installed EDR/AV solutions ineffective and increasing the risk of widespread compromise or data breaches without immediate detection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Potentially Suspicious WDAC Policy File Creation\u0026quot; provided in this brief to your SIEM and tune for your environment to detect unauthorized WDAC policy modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review file creation events in \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\\u003c/code\u003e for anomalies not covered by the \u003ccode\u003efilter_main_*\u003c/code\u003e exclusions in the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and principle of least privilege to prevent unauthorized processes from writing to critical system directories.\u003c/li\u003e\n\u003cli\u003eMonitor for any unexpected changes to WDAC policies via Group Policy or other management tools, especially those that block security software.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:49:54Z","date_published":"2026-07-03T13:49:54Z","id":"https://feed.craftedsignal.io/briefs/2026-07-suspicious-wdac-policy-creation/","summary":"Attackers may create Windows Defender Application Control (WDAC) policy files from abnormal processes to bypass Endpoint Detection and Response (EDR) or Antivirus (AV) solutions while allowing their own malicious code to execute on compromised Windows systems, impacting defense capabilities.","title":"Potentially Suspicious WDAC Policy File Creation","url":"https://feed.craftedsignal.io/briefs/2026-07-suspicious-wdac-policy-creation/"}],"language":"en","title":"CraftedSignal Threat Feed - Application-Control","version":"https://jsonfeed.org/version/1.1"}