<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Application-Control - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/application-control/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 13:49:54 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/application-control/feed.xml" rel="self" type="application/rss+xml"/><item><title>Potentially Suspicious WDAC Policy File Creation</title><link>https://feed.craftedsignal.io/briefs/2026-07-suspicious-wdac-policy-creation/</link><pubDate>Fri, 03 Jul 2026 13:49:54 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-suspicious-wdac-policy-creation/</guid><description>Attackers may create Windows Defender Application Control (WDAC) policy files from abnormal processes to bypass Endpoint Detection and Response (EDR) or Antivirus (AV) solutions while allowing their own malicious code to execute on compromised Windows systems, impacting defense capabilities.</description><content:encoded><![CDATA[<p>This threat brief details a technique where attackers create or modify Windows Defender Application Control (WDAC) policies from non-standard or unauthorized processes. WDAC is a security feature in Windows designed to control which applications are allowed to run on a system. While legitimate processes (like PowerShell, Configuration Manager, or WDAC Wizard) typically manage these policies, an adversary gaining initial access could abuse this mechanism. By crafting and deploying a malicious WDAC policy, an attacker can effectively disable or bypass existing security controls, such as EDR or AV solutions, by whitelisting their own malicious payloads and blacklisting security agent components. This allows the attacker to execute their tools unimpeded, significantly impairing the victim's ability to detect and respond to ongoing intrusions. The detection focuses on file creation events in the <code>C:\Windows\System32\CodeIntegrity\</code> directory by processes not typically associated with WDAC policy management.</p>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this technique can lead to a significant degradation of endpoint security posture. By weaponizing WDAC policies, attackers can bypass security software, allowing for unimpeded execution of malware, credential theft, data exfiltration, or further lateral movement. The primary impact is the loss of visibility and control for security teams, rendering installed EDR/AV solutions ineffective and increasing the risk of widespread compromise or data breaches without immediate detection.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Potentially Suspicious WDAC Policy File Creation&quot; provided in this brief to your SIEM and tune for your environment to detect unauthorized WDAC policy modifications.</li>
<li>Regularly review file creation events in <code>C:\Windows\System32\CodeIntegrity\</code> for anomalies not covered by the <code>filter_main_*</code> exclusions in the provided Sigma rule.</li>
<li>Implement strong access controls and principle of least privilege to prevent unauthorized processes from writing to critical system directories.</li>
<li>Monitor for any unexpected changes to WDAC policies via Group Policy or other management tools, especially those that block security software.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>defense-impairment</category><category>wdac</category><category>application-control</category><category>windows</category></item></channel></rss>