Suspicious WerFault Child Process
A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/24"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
6min_stack_version = "8.13.0"
7updated_date = "2024/06/11"
8
9[rule]
10author = ["Elastic"]
11description = """
12A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit
13registry key manipulation. Verify process details such as command line, network connections and file writes.
14"""
15false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."]
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious WerFault Child Process"
21references = [
22 "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
23 "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/",
24 "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
25 "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/",
26]
27risk_score = 47
28rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff"
29setup = """## Setup
30
31If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
32events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
33Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
34`event.ingested` to @timestamp.
35For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
36"""
37severity = "medium"
38tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43process where host.os.type == "windows" and event.type == "start" and
44
45 process.parent.name : "WerFault.exe" and
46
47 /* args -s and -t used to execute a process via SilentProcessExit mechanism */
48 (process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and
49
50 not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe")
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1036"
58name = "Masquerading"
59reference = "https://attack.mitre.org/techniques/T1036/"
60
61
62[rule.threat.tactic]
63id = "TA0005"
64name = "Defense Evasion"
65reference = "https://attack.mitre.org/tactics/TA0005/"
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1546"
72name = "Event Triggered Execution"
73reference = "https://attack.mitre.org/techniques/T1546/"
74[[rule.threat.technique.subtechnique]]
75id = "T1546.012"
76name = "Image File Execution Options Injection"
77reference = "https://attack.mitre.org/techniques/T1546/012/"
78
79
80
81[rule.threat.tactic]
82id = "TA0003"
83name = "Persistence"
84reference = "https://attack.mitre.org/tactics/TA0003/"
85
86
87
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90[[rule.threat.technique]]
91id = "T1546"
92name = "Event Triggered Execution"
93reference = "https://attack.mitre.org/techniques/T1546/"
94[[rule.threat.technique.subtechnique]]
95id = "T1546.012"
96name = "Image File Execution Options Injection"
97reference = "https://attack.mitre.org/techniques/T1546/012/"
98
99
100
101[rule.threat.tactic]
102id = "TA0004"
103name = "Privilege Escalation"
104reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Component Object Model Hijacking
- Encoded Executable Stored in the Registry
- Persistence via BITS Job Notify Cmdline
- Persistence via Scheduled Job Creation
- Port Forwarding Rule Addition