Suspicious WerFault Child Process
A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/24"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/10/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit
13registry key manipulation. Verify process details such as command line, network connections and file writes.
14"""
15false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."]
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-sentinel_one_cloud_funnel.*",
23 "logs-m365_defender.event-*"
24 ]
25language = "eql"
26license = "Elastic License v2"
27name = "Suspicious WerFault Child Process"
28references = [
29 "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
30 "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/",
31 "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
32 "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/",
33]
34risk_score = 47
35rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff"
36severity = "medium"
37tags = [
38 "Domain: Endpoint",
39 "OS: Windows",
40 "Use Case: Threat Detection",
41 "Tactic: Defense Evasion",
42 "Tactic: Persistence",
43 "Tactic: Privilege Escalation",
44 "Data Source: Elastic Endgame",
45 "Data Source: Elastic Defend",
46 "Data Source: Microsoft Defender for Endpoint",
47 "Data Source: Sysmon",
48 "Data Source: SentinelOne",
49]
50timestamp_override = "event.ingested"
51type = "eql"
52
53query = '''
54process where host.os.type == "windows" and event.type == "start" and
55
56 process.parent.name : "WerFault.exe" and
57
58 /* args -s and -t used to execute a process via SilentProcessExit mechanism */
59 (process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and
60
61 not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe")
62'''
63
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1036"
69name = "Masquerading"
70reference = "https://attack.mitre.org/techniques/T1036/"
71
72
73[rule.threat.tactic]
74id = "TA0005"
75name = "Defense Evasion"
76reference = "https://attack.mitre.org/tactics/TA0005/"
77
78
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81[[rule.threat.technique]]
82id = "T1546"
83name = "Event Triggered Execution"
84reference = "https://attack.mitre.org/techniques/T1546/"
85[[rule.threat.technique.subtechnique]]
86id = "T1546.012"
87name = "Image File Execution Options Injection"
88reference = "https://attack.mitre.org/techniques/T1546/012/"
89
90
91
92[rule.threat.tactic]
93id = "TA0003"
94name = "Persistence"
95reference = "https://attack.mitre.org/tactics/TA0003/"
96
97
98
99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1546"
103name = "Event Triggered Execution"
104reference = "https://attack.mitre.org/techniques/T1546/"
105[[rule.threat.technique.subtechnique]]
106id = "T1546.012"
107name = "Image File Execution Options Injection"
108reference = "https://attack.mitre.org/techniques/T1546/012/"
109
110
111
112[rule.threat.tactic]
113id = "TA0004"
114name = "Privilege Escalation"
115reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
There is a relatively old, but well-known debugging mechanism called SilentProcessExit. It is documented on Microsoft site, and there are many blogs talking about it (@Oddvarmoe has a very good int...
Read More -
I posted about werfault.exe a couple of times before. Some of the posts focused on persistence mechanisms, some on lolbinish behavior, but I thought it would be good to dedicate some time to descri...
Read More -
Windows Events Attack Samples. Contribute to sbousseaden/EVTX-ATTACK-SAMPLES development by creating an account on GitHub.
Read More -
In detection engineering we often encounter attack techniques that result into a system process spawning an unusual child process, which can be used as a good detection or hunting logic. The on...
Read More
Related rules
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of a new GPO Scheduled Task or Service
- Image File Execution Options Injection
- Installation of Security Support Provider
- Persistence via PowerShell profile