This is a built in function for C# in Microsoft Windows that essentially allows arbitrary unsigned code execution. It is part of the .NET framework and it works by combining a serialized workflow with an XML of serialized compiler arguments.
Running this compiler on some C# code allows for a fileless payload and execution. In my test, this was used for a remote shell out from one computer to another.
How does it affect me?
Users can easily download macro enabled Office documents that contain scripts designed to pull down the necessary source files and compile them into a working attack. Office macros have and always will be a huge attack vector, and disabling them outright is not an option in most cases.
In my test case, I wrote a macro to create and execute a VBS file that pulls down all needed source files. I event went so far as to mask my requests with a Google URL which I described in a previous post. This would render it harder for outgoing connections to be determined malicious. The Office document in question only raised flags on 6 AV's and that was because they recognized the VBScript being created downloaded other files. However these were not industry recognized brands or brands you would find in most corporate environments.
Remediation
I recommend using Windows AppLocker to prevent the use of Microsoft.Workflow.Compiler.exe as well as preventing PowerShell from downloading files. This would stop most Office malware from executing, and most users do not have a good reason to be using the workflow compiler. See an example AppLocker policy below to restrict this.
- In Local Security Policy, expand Application Control Policies -> AppLocker
- Right click Executable Rules -> Create New Rule
- Select Deny and the user or group who it should be denied to
- Since the Path of the file can be changed, select the File Hash option for blocking
- Browse to the file in question, and add it
- It can be found at this location C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
- Create!