Suspicious WerFault Child Process
A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/24"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit
13registry key manipulation. Verify process details such as command line, network connections and file writes.
14"""
15false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."]
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious WerFault Child Process"
21references = [
22 "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
23 "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/",
24 "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
25 "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/",
26]
27risk_score = 47
28rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff"
29setup = """## Setup
30
31If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
32events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
33Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
34`event.ingested` to @timestamp.
35For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
36"""
37severity = "medium"
38tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43process where host.os.type == "windows" and event.type == "start" and
44
45 process.parent.name : "WerFault.exe" and
46
47 /* args -s and -t used to execute a process via SilentProcessExit mechanism */
48 (process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and
49
50 not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe")
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1036"
58name = "Masquerading"
59reference = "https://attack.mitre.org/techniques/T1036/"
60
61
62[rule.threat.tactic]
63id = "TA0005"
64name = "Defense Evasion"
65reference = "https://attack.mitre.org/tactics/TA0005/"
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1546"
72name = "Event Triggered Execution"
73reference = "https://attack.mitre.org/techniques/T1546/"
74[[rule.threat.technique.subtechnique]]
75id = "T1546.012"
76name = "Image File Execution Options Injection"
77reference = "https://attack.mitre.org/techniques/T1546/012/"
78
79
80
81[rule.threat.tactic]
82id = "TA0003"
83name = "Persistence"
84reference = "https://attack.mitre.org/tactics/TA0003/"
85
86
87
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90[[rule.threat.technique]]
91id = "T1546"
92name = "Event Triggered Execution"
93reference = "https://attack.mitre.org/techniques/T1546/"
94[[rule.threat.technique.subtechnique]]
95id = "T1546.012"
96name = "Image File Execution Options Injection"
97reference = "https://attack.mitre.org/techniques/T1546/012/"
98
99
100
101[rule.threat.tactic]
102id = "TA0004"
103name = "Privilege Escalation"
104reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Component Object Model Hijacking
- Suspicious DLL Loaded for Persistence or Privilege Escalation
- Adding Hidden File Attribute via Attrib
- Bypass UAC via Event Viewer
- Conhost Spawned By Suspicious Parent Process