IOC: As a Windows SDK binary, execution on a system may be suspicious
AWL bypass
Execute arbitrary C# code embedded in a XOML file.
wfc.exe c:\path\to\test.xoml
Usecase: Execute proxied payload with Microsoft signed binary to bypass WDAC policies
Privileges required: User
OS: Windows 10 2004 (likely previous and newer versions as well)
MITRE ATT&CK®: T1127