Suspicious WerFault Child Process
A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/24"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2025/01/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit
13registry key manipulation. Verify process details such as command line, network connections and file writes.
14"""
15false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."]
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-sentinel_one_cloud_funnel.*",
23 "logs-m365_defender.event-*"
24 ]
25language = "eql"
26license = "Elastic License v2"
27name = "Suspicious WerFault Child Process"
28references = [
29 "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
30 "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/",
31 "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
32 "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/",
33]
34risk_score = 47
35rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff"
36severity = "medium"
37tags = [
38 "Domain: Endpoint",
39 "OS: Windows",
40 "Use Case: Threat Detection",
41 "Tactic: Defense Evasion",
42 "Tactic: Persistence",
43 "Tactic: Privilege Escalation",
44 "Data Source: Elastic Endgame",
45 "Data Source: Elastic Defend",
46 "Data Source: Microsoft Defender for Endpoint",
47 "Data Source: Sysmon",
48 "Data Source: SentinelOne",
49 "Resources: Investigation Guide",
50]
51timestamp_override = "event.ingested"
52type = "eql"
53
54query = '''
55process where host.os.type == "windows" and event.type == "start" and
56
57 process.parent.name : "WerFault.exe" and
58
59 /* args -s and -t used to execute a process via SilentProcessExit mechanism */
60 (process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and
61
62 not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe")
63'''
64note = """## Triage and analysis
65
66> **Disclaimer**:
67> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
68
69### Investigating Suspicious WerFault Child Process
70
71WerFault.exe is a Windows error reporting tool that handles application crashes. Adversaries may exploit it by manipulating the SilentProcessExit registry key to execute malicious processes stealthily. The detection rule identifies unusual child processes of WerFault.exe, focusing on specific command-line arguments indicative of this abuse, while excluding known legitimate executables, thus highlighting potential threats.
72
73### Possible investigation steps
74
75- Review the command line arguments of the suspicious child process to confirm the presence of "-s", "-t", and "-c" flags, which indicate potential abuse of the SilentProcessExit mechanism.
76- Examine the process executable path to ensure it is not one of the known legitimate executables ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe") that are excluded from the detection rule.
77- Investigate the network connections established by the suspicious process to identify any unusual or unauthorized external communications.
78- Analyze file writes and modifications made by the process to detect any unauthorized changes or potential indicators of compromise.
79- Check the parent process tree to understand the context of how WerFault.exe was invoked and identify any preceding suspicious activities or processes.
80- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Microsoft Defender for Endpoint, Sysmon, or SentinelOne to gather additional context and assess the scope of the potential threat.
81
82### False positive analysis
83
84- Legitimate software updates or installations may trigger WerFault.exe with command-line arguments similar to those used in the SilentProcessExit mechanism. Users should verify the digital signature of the executable and check if it aligns with known update processes.
85- Security software or system management tools might use WerFault.exe for legitimate purposes. Users can create exceptions for these known tools by adding their executables to the exclusion list in the detection rule.
86- Custom scripts or enterprise applications that utilize WerFault.exe for error handling could be flagged. Review the process details and, if verified as non-threatening, add these scripts or applications to the exclusion list.
87- Frequent occurrences of the same process being flagged can indicate a benign pattern. Users should monitor these patterns and, if consistently verified as safe, update the rule to exclude these specific processes.
88
89### Response and remediation
90
91- Isolate the affected system from the network to prevent further potential malicious activity and lateral movement.
92- Terminate the suspicious child process of WerFault.exe immediately to halt any ongoing malicious actions.
93- Conduct a thorough review of the SilentProcessExit registry key to identify and remove any unauthorized entries that may have been used to execute the malicious process.
94- Restore any altered or deleted files from a known good backup to ensure system integrity and recover any lost data.
95- Update and run a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats or remnants of the attack.
96- Monitor network traffic and system logs for any signs of persistence mechanisms or further attempts to exploit the SilentProcessExit mechanism.
97- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected."""
98
99
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102[[rule.threat.technique]]
103id = "T1036"
104name = "Masquerading"
105reference = "https://attack.mitre.org/techniques/T1036/"
106
107
108[rule.threat.tactic]
109id = "TA0005"
110name = "Defense Evasion"
111reference = "https://attack.mitre.org/tactics/TA0005/"
112
113
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1546"
118name = "Event Triggered Execution"
119reference = "https://attack.mitre.org/techniques/T1546/"
120[[rule.threat.technique.subtechnique]]
121id = "T1546.012"
122name = "Image File Execution Options Injection"
123reference = "https://attack.mitre.org/techniques/T1546/012/"
124
125
126
127[rule.threat.tactic]
128id = "TA0003"
129name = "Persistence"
130reference = "https://attack.mitre.org/tactics/TA0003/"
131
132
133
134[[rule.threat]]
135framework = "MITRE ATT&CK"
136[[rule.threat.technique]]
137id = "T1546"
138name = "Event Triggered Execution"
139reference = "https://attack.mitre.org/techniques/T1546/"
140[[rule.threat.technique.subtechnique]]
141id = "T1546.012"
142name = "Image File Execution Options Injection"
143reference = "https://attack.mitre.org/techniques/T1546/012/"
144
145
146
147[rule.threat.tactic]
148id = "TA0004"
149name = "Privilege Escalation"
150reference = "https://attack.mitre.org/tactics/TA0004/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Suspicious WerFault Child Process
WerFault.exe is a Windows error reporting tool that handles application crashes. Adversaries may exploit it by manipulating the SilentProcessExit registry key to execute malicious processes stealthily. The detection rule identifies unusual child processes of WerFault.exe, focusing on specific command-line arguments indicative of this abuse, while excluding known legitimate executables, thus highlighting potential threats.
Possible investigation steps
- Review the command line arguments of the suspicious child process to confirm the presence of "-s", "-t", and "-c" flags, which indicate potential abuse of the SilentProcessExit mechanism.
- Examine the process executable path to ensure it is not one of the known legitimate executables ("?:\Windows\SysWOW64\Initcrypt.exe", "?:\Program Files (x86)\Heimdal\Heimdal.Guard.exe") that are excluded from the detection rule.
- Investigate the network connections established by the suspicious process to identify any unusual or unauthorized external communications.
- Analyze file writes and modifications made by the process to detect any unauthorized changes or potential indicators of compromise.
- Check the parent process tree to understand the context of how WerFault.exe was invoked and identify any preceding suspicious activities or processes.
- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Microsoft Defender for Endpoint, Sysmon, or SentinelOne to gather additional context and assess the scope of the potential threat.
False positive analysis
- Legitimate software updates or installations may trigger WerFault.exe with command-line arguments similar to those used in the SilentProcessExit mechanism. Users should verify the digital signature of the executable and check if it aligns with known update processes.
- Security software or system management tools might use WerFault.exe for legitimate purposes. Users can create exceptions for these known tools by adding their executables to the exclusion list in the detection rule.
- Custom scripts or enterprise applications that utilize WerFault.exe for error handling could be flagged. Review the process details and, if verified as non-threatening, add these scripts or applications to the exclusion list.
- Frequent occurrences of the same process being flagged can indicate a benign pattern. Users should monitor these patterns and, if consistently verified as safe, update the rule to exclude these specific processes.
Response and remediation
- Isolate the affected system from the network to prevent further potential malicious activity and lateral movement.
- Terminate the suspicious child process of WerFault.exe immediately to halt any ongoing malicious actions.
- Conduct a thorough review of the SilentProcessExit registry key to identify and remove any unauthorized entries that may have been used to execute the malicious process.
- Restore any altered or deleted files from a known good backup to ensure system integrity and recover any lost data.
- Update and run a full antivirus and anti-malware scan on the affected system to detect and remove any additional threats or remnants of the attack.
- Monitor network traffic and system logs for any signs of persistence mechanisms or further attempts to exploit the SilentProcessExit mechanism.
- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
References
Related rules
- Creation or Modification of a new GPO Scheduled Task or Service
- Image File Execution Options Injection
- Installation of Security Support Provider
- Persistence via PowerShell profile
- Persistence via TelemetryController Scheduled Task Hijack