title: Microsoft Workflow Compiler status: experimental description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. tags: - attack.defense_evasion - attack.execution - attack.t1127 author: Nik Seetharaman references: - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb logsource: category: process_creation product: windows detection: selection: Image: '*\Microsoft.Workflow.Compiler.exe' condition: selection fields: - CommandLine - ParentCommandLine falsepositives: - Legitimate MWC use (unlikely in modern enterprise environments) level: high