Suspicious WerFault Child Process
A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/24"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
6min_stack_version = "8.13.0"
7updated_date = "2024/06/11"
8
9[rule]
10author = ["Elastic"]
11description = """
12A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit
13registry key manipulation. Verify process details such as command line, network connections and file writes.
14"""
15false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."]
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious WerFault Child Process"
21references = [
22 "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
23 "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/",
24 "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
25 "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/",
26]
27risk_score = 47
28rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff"
29setup = """## Setup
30
31If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
32events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
33Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
34`event.ingested` to @timestamp.
35For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
36"""
37severity = "medium"
38tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43process where host.os.type == "windows" and event.type == "start" and
44
45 process.parent.name : "WerFault.exe" and
46
47 /* args -s and -t used to execute a process via SilentProcessExit mechanism */
48 (process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and
49
50 not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe")
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1036"
58name = "Masquerading"
59reference = "https://attack.mitre.org/techniques/T1036/"
60
61
62[rule.threat.tactic]
63id = "TA0005"
64name = "Defense Evasion"
65reference = "https://attack.mitre.org/tactics/TA0005/"
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1546"
72name = "Event Triggered Execution"
73reference = "https://attack.mitre.org/techniques/T1546/"
74[[rule.threat.technique.subtechnique]]
75id = "T1546.012"
76name = "Image File Execution Options Injection"
77reference = "https://attack.mitre.org/techniques/T1546/012/"
78
79
80
81[rule.threat.tactic]
82id = "TA0003"
83name = "Persistence"
84reference = "https://attack.mitre.org/tactics/TA0003/"
85
86
87
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90[[rule.threat.technique]]
91id = "T1546"
92name = "Event Triggered Execution"
93reference = "https://attack.mitre.org/techniques/T1546/"
94[[rule.threat.technique.subtechnique]]
95id = "T1546.012"
96name = "Image File Execution Options Injection"
97reference = "https://attack.mitre.org/techniques/T1546/012/"
98
99
100
101[rule.threat.tactic]
102id = "TA0004"
103name = "Privilege Escalation"
104reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
There is a relatively old, but well-known debugging mechanism called SilentProcessExit. It is documented on Microsoft site, and there are many blogs talking about it (@Oddvarmoe has a very good int...
Read More -
I posted about werfault.exe a couple of times before. Some of the posts focused on persistence mechanisms, some on lolbinish behavior, but I thought it would be good to dedicate some time to descri...
Read More -
Windows Events Attack Samples. Contribute to sbousseaden/EVTX-ATTACK-SAMPLES development by creating an account on GitHub.
Read More -
In detection engineering we often encounter attack techniques that result into a system process spawning an unusual child process, which can be used as a good detection or hunting logic. The on...
Read More
Related rules
- Component Object Model Hijacking
- Encoded Executable Stored in the Registry
- Persistence via BITS Job Notify Cmdline
- Persistence via Scheduled Job Creation
- Port Forwarding Rule Addition