Suspicious WerFault Child Process

A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/24"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit 
13registry key manipulation. Verify process details such as command line, network connections and file writes.
14"""
15false_positives = ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."]
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious WerFault Child Process"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25references = [
26    "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
27    "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/",
28    "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
29    "https://blog.menasec.net/2021/01/",
30]
31risk_score = 47
32rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff"
33severity = "medium"
34tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39process where host.os.type == "windows" and event.type == "start" and
40
41  process.parent.name : "WerFault.exe" and 
42  
43  /* args -s and -t used to execute a process via SilentProcessExit mechanism */
44  (process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and 
45  
46  not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe")
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1036"
54name = "Masquerading"
55reference = "https://attack.mitre.org/techniques/T1036/"
56
57
58[rule.threat.tactic]
59id = "TA0005"
60name = "Defense Evasion"
61reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

References

Related rules

to-top